Recently, Varonis Threat Labs uncovered two novel techniques that allow threat actors to sidestep SharePoint security controls, evading detection while exfiltrating files.
In this blog, we delve into these techniques and explore their implications for organizations relying on SharePoint for collaboration and document management.
The Techniques
1. Open in App Method
The first technique leverages the “open in app” feature in SharePoint. Here’s how it works:
Objective: Access and download files while leaving minimal traces in the audit log.
Execution:
- Users manually open files in the SharePoint app, triggering an “access event” in the audit log.
- Alternatively, threat actors can automate this process using a PowerShell script.
Advantages:
- Rapid exfiltration of multiple files.
- Hides the actual download event, making it less suspicious.
2. SkyDriveSync User-Agent
The second technique exploits the User-Agent associated with Microsoft SkyDriveSync. Here’s how it operates:
Objective: Download files (or entire sites) while mislabeling events as file syncs instead of downloads.
Execution:
- Threat actors manipulate the User-Agent header to mimic SkyDriveSync behavior.
- SharePoint logs these events as file syncs, which are less likely to raise suspicion.
Advantages:
- Conceals exfiltration activity from audit logs.
- Bypass detection mechanisms that focus on download events.
Implications and Mitigation
These techniques pose significant challenges for organizations relying on SharePoint for collaboration and data management. Here are some considerations:
1. Audit Log Monitoring: Organizations must enhance their audit log monitoring capabilities to detect anomalies related to access events and file syncs. Regular review of audit logs can help identify suspicious patterns.
2. User Training: Educate users about the risks associated with the “open in app” feature and the importance of adhering to security policies. Limit access to this feature where possible.
3. User-Agent Analysis: Security teams should closely analyze User-Agent headers to differentiate legitimate file syncs from potential exfiltration attempts. Anomalies in User-Agent strings may indicate malicious activity.
4. Behavioral Analytics: Implement behavioral analytics to identify abnormal user behavior. Unusual download patterns or frequent use of the “open in app” feature should trigger alerts.
5. Policy Enforcement: Consider adjusting security policies to account for these techniques. For example, enforce stricter controls on file sync events or limit access to certain SharePoint features.
Reminder for businesses
Security is a continuous journey, and staying informed is the first step toward effective risk mitigation. By understanding these SharePoint evasion techniques, organizations can better protect their sensitive data and maintain the integrity of their collaboration platforms.