SharePoint logs are easily circumvented and Microsoft is dragging its heels
Now is the perfect time to review those permissions
SharePoint users should beware since audit logs on the platform have proved relatively simple to circumvent, meaning malicious actors could exfiltrate your data without tipping off your security team.
If you're hoping that Microsoft will act quickly to fix the matter, don't. According to bug hunters from Varonis Threat Labs, who reported the matter to Redmond in November, it's been deemed a moderate security issue and is waiting in the "patch backlog program" to be addressed at the Windows maker's convenience.
"We're aware of this report and our customers do not need to take action. We have confirmed that the product is performing as expected, by detecting a file accessed and reporting that through the audit log," a Microsoft spokesperson told The Register.
"Security products and vendors should be using FileAccessed, FileDownloaded, plus two potential sync-related signals, FileSyncDownloadedFull and FileSyncDownloadedPartial audit events to monitor for file access."
In short, you're on your own, so best figure out how to make good use of the relatively poor state of SharePoint download logs.
SharePoint "download logs are unreliable and easy to bypass," Varonis said, reporting it found two fresh methods of doing so. These trick the platform into logging downloads of SharePoint files as access or file sync events. Both actions, Varonis noted, involve file downloads but neither are logged as such.
The first method, which triggers a file access log entry, involves opening SharePoint files in an app on a machine, which creates a local copy but isn't recorded on the system's server as a download. If an attacker writes a PowerShell script that combines this with a SharePoint client object model, the team suggests, then they can download data to their heart's content.
"This script can be extended to map an entire SharePoint site and, using automation, download all the files to the local machine," the Varonis team said. "While this method does not generate download logs, it does create access logs, which can be used to detect such activities."
- Microsoft called out as big malware hoster – thanks to OneDrive and Office 365 abuse
- Exploit for under-siege SharePoint vuln reportedly in hands of ransomware crew
- Microsoft 365 guest accounts + Power Apps = security nightmare
- Oh, really? Microsoft worries multicloud complicates security and identity
The second method, which generates file sync logs instead, involves misusing OneDrive to sync SharePoint files, again replicating them to a local machine without any record of a file download. Key to making use of this method without triggering a "FileSyncDownloadedFull" log entry – which would give the game away to a smart security team – is altering the User-Agent used to handle sync events.
"By altering the browser's User-Agent, it's possible to download files via conventional methods, like the GUI or Microsoft Graph API, and have them appear in logs as sync event," the Varonis squad said. "This tactic is particularly effective if malicious file download detections are configured to ignore sync events."
Varonis noted that both of these exploits rely on misconfigured SharePoint permissions, which isn't reassuring given how common this issue is in Microsoft's complicated ecosystem of apps. According to Varonis research [PDF], it's not uncommon for a tenth of a company's cloud data to be accidentally exposed to all employees, and thus anyone with malicious intent who manages to gain permissions as limited as those of a regular user.
Until Microsoft decides to patch the issue, Varonis recommends that SharePoint users review their systems for large amounts of access or abnormal audit logs that could signal trouble. There are still traces left behind when intruders use these exploits – you just need to know where to look. ®