Office 365 Vulnerability Allows Attackers to Encrypt Files

Proofpoint announced that they have discovered a vulnerability in Office 365 that allow attacker to encrypt files stored on SharePoint and OneDrive.

Proofpoint also has identified the attack chain as initial access, account takeover & discovery, collection & exfiltration, and monetization. “Once executed, the attack encrypts the files in the compromised users’ accounts. Like with endpoint ransomware activity, those files can only be retrieved with decryption keys” was said for the attack.

If an attacker gains access to the victim’s cloud, then he has two options; limiting the number of autosaves to one, or using the autosave feature 500 times after reaching the limit. At that point, researches explains that it is unlikely that an attacker would encrypt more than 500 files. Such an operation requires a lot of scripting work and a lot of computer resources, while significantly increasing the risk of detection.

Whichever option is chosen by the attacker, if a hacker encrypts the files until the saves work, then the victim has only two options: use backups physically isolated from the infrastructure or pay the attacker for a decryption key.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s