Threat Awareness – Microsoft 365 AutoSave Features Can be Exploited to Encrypt Files

Security researchers have uncovered a potential new ransomware-related threat to Office 365 account users. In this case, adversaries could utilize compromised Office 365 accounts to encrypt files stored in SharePoint and OneDrive cloud services. The attack relies on manipulating the “AutoSave” feature which creates cloud backups of older file types when users make edits. To conduct this attack threat actors need only to compromise an employee’s Office 365 account, usually done via phishing or malicious OAuth apps. This attack-type does not require administrative privileges and can be conducted from any compromised employee account.

Adversaries can then use Microsoft APIs and PowerShell scripts to automate malicious activity on large document lists. To encrypt the files, attackers reduce the version numbering limit and encrypt all files more than that limit. According to BleepingComputer, “With a file version limit set to “1,” when the attacker encrypts or edits the file twice, the original document will no longer be available through OneDrive and cannot be restored.” Once the documents are encrypted, the threat actor can request a ransom from the victim in order to restore their files. Read more at BleepingComputer.