Proofpoint security researchers have discovered a way to exploit Microsoft cloud storage file version limits that could allow ransomware to encrypt OneDrive and SharePoint files and render them unrecoverable.
Ransomware attacks involve attackers locking users out of their own files by encrypting them.
The attackers then extort money from victims with the promise that they will provide the decryption keys.
Proofpoint described the Microsoft 365 attack chain as follows.
First, attackers must gain access to either SharePoint Online or OneDrive accounts.
They can get user credentials via phishing or brute force attacks, tricking users via malicious third-party OAuth applications, or hijacking web sessions.
After an attacker has taken over an account, they can reduce the versioning limit of files to a low number.
To exploit the rules surrounding versioning limits, attackers encrypt the file more times than the limit to ensure the original file gets deleted.
For example, if a malicious actor reduces a file’s versioning limit to one and then creates two encrypted versions, the original version will get deleted and cannot be restored.
Malicious actors can automate the attack chain after compromising an account using a combination of Microsoft APIs, command-line interface scripts, and PowerShell scripts.
Microsoft told Proofpoint that older versions of files can still be recovered and restored within 14 days after an attack with Microsoft Support’s help.
However, Proofpoint tested this after Microsoft said it was possible and determined recovering encrypted files this way doesn’t work.
Proofpoint encouraged users to mitigate their risks of falling victim to ransomware attacks.
These include using strong passwords, multi-factor authentication, and regular file backups to external storage.