SharePoint protocols are easily bypassed, leaving Microsoft behind • The Register

SharePoint users should be wary as the audit logs on the platform have proven to be relatively easy to bypass, meaning malicious actors could exfiltrate your data without informing your security team.

If you're hoping that Microsoft will respond quickly to fix the problem, don't. According to bug hunters at Varonis Threat Labs, who reported the matter to Redmond in November, this is a moderate security issue waiting in the “patch backlog program” to be fixed at the discretion of the Windows manufacturer.

“We are aware of this report and our customers are not required to take any action. We confirmed that the product was working as expected by detecting a file that was accessed and reporting it through the audit log,” a Microsoft spokesperson said The registry.

“Security products and vendors should use FileAccessed, FileDownloaded, and two potential sync-related signals, FileSyncDownloadedFull and FileSyncDownloadedPartial, to monitor file access.”

In short: you are on your own. So it's best to figure out how to put the relatively poor state of SharePoint download logs to good use.

“SharePoint download logs are unreliable and easy to bypass,” Varonis said, reporting it had found two new ways to do this. These trick the platform into logging SharePoint file downloads as access or file sync events. According to Varonis, both actions are file downloads, but are not logged as such.

The first method that triggers a file access log entry involves opening SharePoint files in an app on a computer, which creates a local copy but does not record it as a download on the system's server. If an attacker writes a PowerShell script that combines this with a SharePoint client object model, the team suggests, they can download data to their heart's content.

“This script can be extended to map an entire SharePoint site and use automation to download all files to the local computer,” said the Varonis team. “While this method does not generate download logs, it does generate access logs that can be used to detect such activity.”

The second method, which generates file sync logs instead, is to abuse OneDrive to sync SharePoint files and re-replicate them to a local computer without recording a file download. The key to using this method without triggering a “FileSyncDownloadedFull” log entry – which would give the game away to a smart security team – is to change the user agent used to handle sync events.

“By modifying the browser user agent, it is possible to download files via traditional methods such as the GUI or the Microsoft Graph API and have them appear in logs as a sync event,” the Varonis team said. “This tactic is particularly effective when malicious file download detection is configured to ignore sync events.”

Varonis noted that both exploits rely on misconfigured SharePoint permissions, which is not reassuring given the prevalence of this issue in Microsoft's complicated app ecosystem. According to Varonis research [PDF]It is not uncommon for a tenth of a company's cloud data to be inadvertently made available to all employees, and therefore to anyone with malicious intent who manages to gain permissions as limited as those of a normal user.

Until Microsoft decides to fix the problem, Varonis recommends SharePoint users check their systems for large amounts of access or unusual audit logs that could indicate problems. When intruders use these exploits, traces still remain – you just need to know where to look. ®