Attackers Work Hard to Engineer Trust; SharePoint, OneDrive Accounts at Risk

A pair of reports released this month underscore just how successful phishing is and the lengths to which adversaries will go to con victims.

In the first report, Trend Micro said it blocked more than 33.6 million cloud-based email threats last year, including a 138% uptick in phishing emails (16.5 million in 2021). In the second, the Proofpoint 2022 Social Engineering Report found that attackers are investing a lot of time and care into winning the trust of potential victims by doing things like holding extended conversations, expanding the use of tactics that have proven effective like using the services of trusted companies and leveraging orthogonal technologies like the telephone in the attack chain.

Attackers also research and use existing conversation threads between colleagues and leverage relevant themes—topical, timely and social—to gain trust, the report found.

“Phishing is up because phishing works. The point is to get some mechanism to execute and stay resident on the victim’s device,” said Garret Grajek, CEO of YouAttest. “Once the persistency is made, the kill chain starts with lateral movement and privilege escalation.”

Because attackers have traditionally aimed ransomware at data across endpoints or network drives, defenders previously believed that cloud drives were better protected against ransomware, but that is changing, Proofpoint noted in a blog post.

According to the security firm, ransomware attackers can exploit a “potentially dangerous” functionality in Microsoft Office 365 and Office 365 to encrypt files stored on SharePoint and OneDrive and render them unrecoverable without dedicated backups or a decryption key from the attacker.  Proofpoint focused its research on SharePoint Online and OneDrive within those two suites.

In the post, researchers detailed how threat actors used Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts to automate a number of illicit actions in the attack chain:

  1. Initial Access: Gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
  2. Account Takeover and Discovery: The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application (which would include the user’s OneDrive account, as well).
  3. Collection & Exfiltration: Reduce the versioning limit of files to a low number, such as one (1), to keep it easy. Encrypt the file more times than the versioning limit. With the example limit of one, encrypt the file twice. This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.
  4. Monetization: Now, all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization.

Researchers noted that attackers can abuse the versioning mechanism—either by “creating too many versions of a file or reducing the version limits of the document library.”  While they say that encrypting files more than 500 times “is unlikely to be seen in the wild”—because it requires so much scripting and machine resources and makes an operation easier to spot—reducing document library versioning is an easier ‘get.’

The report pointed out that the three most common paths to access to one or more users’ SharePoint Online or OneDrive accounts are via account compromise, third-party OAuth applications and hijacked sessions.

The key to thwarting such efforts “is to assume that users will be users and click on nefarious objects—so what are the enterprise defenses?” said Grajek. “Zero-trust networks are the rage because they can isolate attacks, but also strong identity governance, e.g. limiting what each user can access—the principle of least-privilege: NIST PR.AC-6—is also key in a secure digital environment.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson