New covert SharePoint data exfiltration techniques revealed

Varonis Threat Labs researchers have uncovered two techniques attackers can use can use for covert data and file exfiltration from companies’ SharePoint server.

“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events,” they noted.

The techniques, and why they may work

Microsoft SharePoint is used by organizations to facilitate employee collaboration, simplify document/content management and storage, set up an intranet portal through which enterprise information and apps can be accessed, and more.

The two techniques can be leveraged by a threat actor who has compromised an employee’s account or by a malicious insider.

Attackers can covertly exfiltrate data in one of two ways:

• By using the “Open in Desktop App” feature in SharePoint to access and save a local copy of files or by accessing them directly via a specific link
• By downloading files from SharePoint but changing the browser’s User-Agent to Microsoft SkyDriveSync

“By combining PowerShell with SharePoint client object model (CSOM), threat actors can write a script that fetches the file from the cloud and saves it to the local computer without leaving a download log footprint. This script can be extended to map an entire SharePoint site and, using automation, download all the files to the local machine,” the researchers noted.

“By altering the browser’s User-Agent, it’s possible to download files via conventional methods, like the GUI or Microsoft Graph API,” they explained, and added that these actions can also be automated via a PowerShell script.

In both cases, the actions are not recorded in “file download” logs but only in “file access” and/or “file sync” logs, and are unlikely to trigger detection rules, which usually focus on download logs.

Data exfiltration detection advice (until a fix is released)

The researchers have shared their findings with Microsoft in November 2023 and the company said it will fix the vulnerabilities – but not immediately, as they consider them to be only moderately severe.

“A potential fix could be adding a new log indicating that the file has been opened in the app. This, coupled with a bit of behavioral analysis, could help indicate if files are being exfiltrated,” Varonis Threat Labs Security Research Team leader Eric Saraga told Help Net Security.

In the meantime, organizations should keep a closer eye on access logs and incorporate sync events into new detection rules, which should be triggered by unusual behaviors (greater volume, unusual devices, new geolocation, etc.).

UPDATE (April 10, 2024, 12:40 p.m. ET):

Varonis updated its research to say that “on April 10, 2024, Microsoft closed out the ticket for the SharePoint method as ‘by design’ and believes that customers do not need to take action. This functionality will remain in SharePoint deployments until further notice.”