Proofpoint warns of "dangerous" Microsoft 365 function

Proofpoint has discovered what it is calling a “potentially dangerous” functionality within Microsoft 365 and Office 365 that could allow the spread of the ransomware threat to cloud drives.

The functionality allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker, Proofpoint said in a blog post.

It works by exploiting the document library versioning mechanism within SharePoint Online and OneDrive, a user-configurable setting that does not need an administrator role. By reducing this limit, changes to files in newer versions of a file result in older versions becoming very hard to restore, according to the post.

Attackers need only reduce this limit to 1, and then edit each file twice either by encrypting the file twice or a combination of encryption, major content changes and file metadata changes. Organisations will then be unable to restore the original versions of the file without the decryption key from the attacker.

Proofpoint warned that this attack method can be automated using Microsoft APIs, command line interface scripts and PowerShell scripts.

The company said it has disclosed the method to Microsoft, and received responses claiming that the configuration functionality for versioning settings within lists is working as intended, and that older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support.

But attempts to retrieve and restore old versions through Microsoft Support were not successful, the researchers said.

Image credit: ©stock.adobe.com/au/chinnarach