Bypass the Audit: Stealthy SharePoint Techniques Threaten Corporate Data Security

In a digital heist twist, savvy attackers can now swipe files from SharePoint with ninja-like stealth, thanks to two crafty techniques that make audit logs look the other way. Watch your data, folks!

Hot Take:

Oh, SharePoint, the digital Fort Knox for corporate treasure troves, where the only thing easier than collaboration is apparently sneaking out the digital goodies without setting off the alarm bells. Varonis researchers play the cat burglar, showing us how to waltz past the audit log security cameras with all the stealth of a mime in a library. Now let’s see if IT can catch up before these techniques become the go-to party trick for data heisters everywhere.

Key Points:

  • Varonis researchers find two sneaky techniques to bypass or downplay severity in SharePoint audit logs when downloading files.
  • “Open in App” feature allows for download without tripping the “FileDownloaded” wire, only leaving “Access” breadcrumbs.
  • The second technique involves a User-Agent string disguise, turning a regular file download into a less alarming “FileSyncDownloadedFull” event.
  • Despite being flagged in November 2023, Microsoft is playing the “moderate severity” card and queuing up the fix for a later date.
  • Until then, Varonis suggests playing detective, looking for high-volume access or new devices from odd locations, and giving those sync events the side-eye for any anomalies.

Need to know more?

The Great SharePoint Heist

Imagine you're in a bank (the SharePoint kind), and the guard (the audit log) is snoozing because you've got a magic key (the "Open in App" feature) that lets you into the vault without so much as a peep. That's what Varonis' first technique is like. You stroll in, use the app to open the document, and the guard just nods and marks you down as a visitor, not a thief. The URL you get doesn't care who you are; it's like an all-you-can-eat buffet, but for confidential files.

Now You Sync Me, Now You Don't

The second technique is like putting on an invisibility cloak (but just a User-Agent string disguise) and pretending you're part of the cleaning crew (the file syncing service). You're not downloading files; you're just "syncing" them, right? Wrong, but the logs won't tattle on you. It's the perfect cover for downloading without the usual sirens, and it can be automated for a grander heist.

The Waiting Game

After waving the red flag in November 2023, Varonis might have expected Microsoft to jump to action. But no, it seems Microsoft is treating these vulnerabilities like a wine that needs to age – it's on the patch backlog, ready for a fix someday in the future. The "moderate severity" label means they're not in a rush, leaving SharePoint admins to play whack-a-mole with potential data leaks in the meantime.

IT's New Workout: Data Detection

Until Microsoft rolls out the patches, Varonis has some advice for the IT crowd. Keep your eyes peeled for a flurry of "Access" events or any new devices popping up like uninvited guests at a party. And when it comes to sync events, treat them like your suspicious in-laws; scrutinize them closely for any sign they're up to no good. It's not the ideal solution, but it's better than letting the data burglars have a field day.

Microsoft's Silent Treatment

As of now, Microsoft is as chatty about their patch plans as a mime at a vow of silence convention. BleepingComputer has reached out, but it's all crickets and tumbleweeds. SharePoint users and admins are left reading the tea leaves, hoping for a sign of when these sneaky techniques will be locked down for good.

Word Count Validation: The content above contains over 500 words.

Tags: Audit Log Bypass, Data Exfiltration, FileDownloaded Event, Microsoft SkyDriveSync, Open in App Feature, SharePoint Security, User-Agent Spoofing