A newly discovered “potentially dangerous” functionality in Office 365 could allow threat actors to encrypt files hosted in the cloud and render them unrecoverable without a dedicated backup solution or decryption key.
Cybersecurity researchers at Proofpoint claim that the “AutoSave” feature, which automatically saves documents being worked on in the cloud, could be abused by the flaw.
AutoSave is a pretty self-explanatory tool. Occasionally, documents being worked on are saved to the cloud. Authors, contributors, and file owners can later access these older versions, giving them a window of opportunity in the event of ransomware (opens in new tab) attack.
Microsoft disagrees
However, if a threat actor gains access to the victim’s cloud (which happens all the time, through social engineering), it can do one of two things: limit the number of auto-saves to just one, or trigger the feature. auto-save 500 times, which is the maximum of the tool.
The latter, however, is not as viable, Proofpoint claims: “Encrypting files more than 500 times is unlikely to be seen in the wild. It requires more scripts and more machine resources, while making its operation easier to detect,” reads the announcement.
Still, in both scenarios, the collaboration platform will stop making saves after that, and if the attacker encrypts it at that moment, the victim will have no choice but to revert to an air-gapped backup or pay for a key. of decryption.
While Proofpoint believes this to be a weakness of the tool, Microsoft disagrees. After being informed of the findings, the Redmond giant said the tool works as expected. Microsoft also told Proofpoint that if something like this does happen, its customer support can restore files that are up to 14 days old. Proofpoint, on the other hand, says they tried this method and it didn’t work.
To maintain your endpoints (opens in new tab) safe from ransomware and malware (opens in new tab)you should always keep your software and hardware up to date, set up strong cybersecurity protections (opens in new tab) and firewalls, and educate your employees about the dangers of phishing and other forms of social engineering.