Skip to main content

(Ransom)Where are Microsoft 365 users now vulnerable?

Who said Cloud environments are immune to Ransomware attacks?

August 3, 2022

By Rodman Ramezanian - Enterprise Cloud Security Advisor

A common misconception among enterprises and their users leads the belief that cloud environments are immune to threats of ransomware. However, in a recent discovery made by Proofpoint researchers, malicious actors can instigate ransomware attacks by exploiting Microsoft 365 file version backups – made available thanks to the platform’s native file “auto-save” feature.

In simple terms, a cybercriminal can encrypt all known versions of a file, even those backed up, in a way that makes them irreparable without dedicated backups or a decryption key from the attacker.

Figure 1. Number of Malware found in SaaS Applications, incl. MS Teams

Unfortunately, this isn’t the first time that ransomware has crossed the line into the world of Microsoft 365. Drawing back 6 years ago now, the Cerber ransomware strain had set its sights on Microsoft 365 and managed to expose millions of users with a novel zero-day attack that had the ability to circumvent native Microsoft 365 security.

How, you ask? Using similar techniques still in use today: phishing emails with malicious file attachments, tricking users into allowing macro content, weaponizing third-party applications, and various other methods.

As cloud services accumulate vast numbers of users in a single ecosystem, they become prime targets for cyber criminals. Just imagine the damage a well-designed ransomware attack can inflict on a large segment of enterprises that all use Microsoft 365 services. In 2020, as we saw in the first successful attacks on SolarWinds and Microsoft, the economic impacts have the potential to be devastating.

How did these breaches occur?

Cloud services and applications are more mission-critical for businesses than ever before. It’s no wonder then why criminal actors continue to place cloud platforms like Microsoft 365 in their crosshairs, knowing victims will be far more inclined to pay the ransoms. The attack vectors here involve exploitation of native Microsoft 365 features for cloud backups. Threats that “live off the land” using built-in tools and parameters are typically more challenging to mitigate, since they can be abused more easily and are harder to detect and prevent.

What can be done?

A combination of best practices can help significantly reduce the impact of attacks like these, especially when the initial attack vector here still involves the compromising of an Microsoft 365 account by takeover.

Basic measures like forcing Step-Up and Multi-Factor Authentication (MFA), enforcing strong password standards, maintaining strict identity access controls, and continuing investment into employee awareness training programs should not be overlooked.

Figure 2. Skyhigh Security: Anomaly Categories for Detected Behaviors

Outright preventing such risks will always be challenging for the reasons mentioned above. For that reason, set triggers and anomaly parameters to detect suspicious outliers and activities that may be potentially threatening, such as abnormal administrative actions or data access requests that may be the warning signals for tampering of version backup limits and AutoSave configurations.

Many third-party applications connect to SaaS platforms (like Microsoft 365 in this case) via OAuth tokens. Unlike new users logging into an environment, OAuth tokens don’t need to authenticate via an identity provider after their initial grant. Once the app has access to Microsoft 365 and its data via OAuth, it maintains that access indefinitely until access is revoked. For this reason, make sure you revoke tokens and access to suspicious apps reaching back into your Microsoft 365 tenancy.

Organizations should always plan for the worst by adopting an “assume breach” mindset. Thus, in times like these, offline backups are never a bad idea in addition to tried-and-tested BC/DR recovery procedures.

Figure 3. Skyhigh Security: Revoke Access of Connected Apps


Use Skyhigh Security?

Rodman Ramezanian

About the Author

Rodman Ramezanian

Enterprise Cloud Security Advisor

With over 11 years’ worth of extensive cybersecurity industry experience, Rodman Ramezanian is an Enterprise Cloud Security Advisor, responsible for Technical Advisory, Enablement, Solution Design and Architecture at Skyhigh Security. In this role, Rodman primarily focuses on Australian Federal Government, Defense, and Enterprise organizations.

Rodman specializes in the areas of Adversarial Threat Intelligence, Cyber Crime, Data Protection, and Cloud Security. He is an Australian Signals Directorate (ASD)-endorsed IRAP Assessor – currently holding CISSP, CCSP, CISA, CDPSE, Microsoft Azure, and MITRE ATT&CK CTI certifications.

Candidly, Rodman has a strong passion for articulating complex matters in simple terms, helping the average person and new security professionals understand the what, why, and how of cybersecurity.

Attack Highlights

  • First steps in cloud ransomware attacks tend to involve common tactics such as phishing campaigns, brute-force attacks, and/or malicious third-party applications taking advantage of OAuth tokens integrating with Microsoft OneDrive/SharePoint
  • Once an Microsoft 365 account has been infiltrated, user files can be discovered across the platform
  • Attackers begin to abuse native “AutoSave” and “Version Control” features that create cloud backups of older file versions (intended to help users recover older copies of edited files)
  • By reducing the document library version limit number to a lower digit, the attacker only needs to very slightly edit and then encrypt the file(s) more than that version limit in order to render the file inaccessible
  • In absence of external backups, victims must then pay ransom