New research has uncovered two new techniques that allow hackers to exfiltrate files from Sharepoint without triggering download events.
A report from Varonis Threat Labs found the techniques used allow threat actors to avoid detection by hiding the download of exfiltrated files as more inconspicuous access and synchronization events.
By using this method, the threat actors can dodge the traditional cloud access security and data loss prevention tools that would otherwise detect the intrusion.
Two ways to escape
The first technique, described by Varonis as the ‘Open in App Method’, takes advantage of code used in the ‘open in app’ feature of Sharepoint, allowing the threat actor to access and download files via Sharepoint either through a Powershell script or manually, leaving just a single trace of evidence behind - the access event in the file’s audit log.
The second method, described as ‘SkyDriveSync User-Agent’, mislabeled file events as synchronisations rather than downloads by abusing the User-Agent for Microsoft SkyDriveSync, allowing the threat actor to hide almost completely from policy enforcement, audit logs, and detection.
Both methods allow threat actors to extract huge volumes of data very quickly, and while no patch has been made available for these vulnerabilities by Microsoft, Varonis Threat Labs recommends that access events be monitored closely across both SharePoint and OneDrive.
Microsoft recently released a vulnerability patch that addressed 149 security flaws, two of which were critical zero-day vulnerabilities.
