Threat actors might encrypt cloud-hosted data and make them unrecoverable without a dedicated backup solution or a decryption key, according to a "potentially dangerous" piece of functionality recently identified in Office 365.
The issue, according to Proofpoint security researchers, can be used to exploit the "AutoSave" feature, which automatically saves documents being worked on to the cloud.
AutoSave is a tool that is very self-explanatory. The documents that are being worked on are periodically stored to the cloud. These older versions can be accessed later by the authors, collaborators, and file owners, affording them a window of opportunity in the event of a ransomware(opens in new tab) assault.
If a threat actor gains access to the victim's cloud (which happens all the time thanks to social engineering), they can either limit the number of autosaves to one or trigger the feature 500 times, which is the tool's maximum.
Microsoft disagrees
However, Proofpoint claims that the latter isn't feasible: "Encrypting files 500+ times is unlikely to be encountered in the field." It necessitates additional scripting and machine resources while also making your activity more detectable," according to the release.
Regardless, the collaboration platform will stop saving beyond that point in both scenarios, and if the attacker encrypts it at that point, the victim will have no choice except to return to an air-gapped backup or pay for a decryption key.
While Proofpoint sees this as a flaw in the software, Microsoft disagrees. The Redmond behemoth stated that the tool works as intended after being told of the results. Microsoft also told Proofpoint that in the event of a real-life incident, their customer service can restore files that are up to 14 days old. Proofpoint, on the other hand, claims to have tried this strategy and found it ineffective.
You should always keep both software and hardware up to date, set up strong cybersecurity protections(opens in new tab) and firewalls, and educate your employees on the dangers of phishing and other forms of social engineering to keep your endpoints(opens in new tab) safe from ransomware and malware(opens in new tab).
0 Comments