Chain of Attack
The chain of attacks begins when threat actors gain access to their SharePoint Online or OneDrive accounts by seizing the identities of Microsoft users. Threat actors can follow multiple methods to access users’ SharePoint or OneDrive accounts. These methods are:
- Bypassing Account Security: It is possible to access the identity information of users’ cloud accounts through phishing, Brute Force attacks, and other methods of obtaining identity information.
- Third-Party OAuth Applications: Threat actors can make users trust third-party OAuth applications for their targeted SharePoint or OneDrive access.
- Hijacked Session Tokens: Hijacking a user’s web session or obtaining an active API token for SharePoint Online/OneDrive allows threat actors to access their targeted accounts.
Threat actors that gain access to OneDrive or SharePoint user privileges and data in the cloud identify and discover accessible data in Office 365 environments in the next step. This attack differs from traditional ransomware activities because the encryption phase requires that every file in SharePoint Online or OneDrive is encrypted beyond the allowed versioning limit. With this method, all original versions of files stored in cloud solutions are lost, and only encrypted versions of each file remain in the cloud account. At this point, threat actors can demand ransom from the targeted institution/organization.
In this context, in order not to be the target of similar attacks;
- Creating account login credentials by applying strong password policies,
- Enabling multi-factor authentication (MFA) on all possible platforms,
- Detecting and correcting account violations and abuse of third-party applications regarding cloud solutions in use,
- Preventing large-scale or critical data downloads to unmanaged/unprotected devices,
- It is recommended to take multiple backups of data from different sources in order to avoid data loss in case of a possible ransomware attack.