Microsoft Office 365 feature can help Cloud ransomware attacks

Ransomware hacking attacks typically target data stored on system endpoints and online drives. These files are traditionally not as thoroughly protected by local antivirus systems, and even though Microsoft’s web defense mechanisms are among the best on the market, a “dangerous piece of functionality” was discovered in Microsoft Office 365 recently. Proofpoint, one of the leading cybersecurity software companies, recently published a report, providing accurate details about potential dangers in one functionality of MS Office, which could be leveraged to ransoming files stored on Sharepoint Office 365 or Microsoft OneDrive.

The purpose of this article is to explain the newly-discovered vulnerabilities of MS Office, how it can be exploited by cyber actors, and ultimately how companies can protect their businesses against such threats.


The issue: Document Library Versioning system

The Document Library Versioning system is present in all components of the Microsoft Office suite. It is a setting that automatically saves different versions of projects, allowing users to backtrack and use any of them. Unfortunately, the “versioning settings” are exploitable and highly vulnerable to ransomware attacks. Cyber actors can permanently deny access to all document versions by encrypting the original several times before overriding the user-defined number of versions. This can be done in several ways:

  1. Setting the versioning limit to two copies, and then encrypting the original twice, effectively locking all future versions while denying access to the original
  2. Using Office scripts to mass-edit the files 501 times (default versioning limit), eliminating the possibility of restoring any of these files.

In the first case, documents are restorable, but the process requires highly advanced technology and considerable amounts of time. In the second case, the damage is more severe, but the traceability of the operations is much higher.


Ransomware Attacks on Office 365

Ransomware attacks that are executed by exploiting the versioning feature of Office 365 are relatively simple. Because the versioning flaws are innate, cyber actors only need to focus on hijacking the OneDrive or Sharepoint Office 365 accounts and encrypting the files. The attack procedure can be split into several elements, which we cover in the sections below:


Account Access

Cyber actors gain access to OneDrive or Sharepoint accounts through various means. Brute force attacks are highly efficient against accounts protected by weak passwords while social engineering can be used to obtain even the most complex credentials. Brute force attacks are easy to identify and may dissuade the attacker from further attempts. Other notable cyber-attack types that may be deployed to obtain initial access to user accounts include:

  •   Phishing attacks
  •   Keyloggers
  •   Man-in-the-middle (MitM)
  •   Dictionary attacks
  •   Credential stuffing


Account Takeover

After gaining access to the target’s OneDrive/Sharepoint profile, the cybercriminal freely browses, uses, and even downloads any documents that don’t require special credentials like administrator privileges. Reinforcing the security of individual files in OneDrive or Sharepoint Office 365 is not too common, as most users rely on Windows’s cutting-edge cybersecurity measures to keep their data safe. Cyber actors typically face minimal challenges once they have access to the target’s Sharepoint/OneDrive cloud storage.


Data Discovery

Most hackers will not spend too much time logged into their target’s profiles out of fear of being caught. If the target becomes aware of the hacking attempts, they may create backups and effectively counter these cyber-attacks.

The issue with OneDrive Office 365 in this regard is that all documents in the cloud are listed by date and title, providing hackers with valuable information about each file. Pinpointing critical documents is much easier than opening and visually scanning dozens of documents.


Document Library Versioning Exploit

As explained in the previous section, the exploitability of the DLV system is done by reducing the versioning limit to a bare minimum, or by overcoming the current maximum. All files are then edited and encrypted. The target may need months to retrieve all files, or in the case of the former, never retrieve the originals unless ransom money is paid to the attacker.



The end result of the Office 365 DLV exploit is the same as with traditional ransomware attacks. The encrypted files can only be unlocked with the key, which the attacker releases only if you pay the ransom.


Prevention: How to Avoid Ransomware Attacks on Office 365

The document library versioning system is a functionality of MS Office 365.  Until Microsoft patches this issue, cyber actors may target any OneDrive or Sharepoint profile while leaving minimal traces behind them.

There are several ways to either reduce the risk of being targeted by ransomware attacks or improve the defenses of your MS cloud-based cybersecurity, which include but are not limited to:

  • Carefully examine all emails to avoid phishing attacks
  • Use password management software to avoid credential stuffing
  • Be careful who you share your passwords with to negate the social engineering efforts of cyber actors. Microsoft officials will never ask you for your password.
  • Create a stronger password and enable MF authentication to avoid brute force attacks. This will also minimize the chances of successful MitM attacks.
  • Upgrade your antivirus and frequently run scans to check for keyloggers.
  • Memorize and monitor your document library versioning settings in MS Office daily. There is a chance that a cyber-attacker changed them without making further progress.

Ransomware attacks are rarely random. Cyber actors mainly target key individuals in established companies and organizations, but it is always better to do everything in your hands to repel hacking attempts.

Microsoft launches center reporting malicious drivers called “Antimalware and Cybersecurity Portal”; if you feel that you may become a target, it is recommended to visit their official website.


Solution: How DIESEC can help with Office 365 Ransomware Attacks

Diesec is a German-based cybersecurity leader that offers a host of IT and cybersecurity services. Diesec offers a concrete solution to the problem of DLV exploits in Microsoft OneDrive and Sharepoint. We can install on-premise backup systems to provide fool-proof backups of Office 365 data. Even if all cloud backups/versions were inaccessible, those on-premise backups would still be readable.

Additionally, we also offer penetration testing and red teaming services that thoroughly test your system and help you close loopholes preventing malicious actors from getting access to your Microsoft Onedrive accounts in the first place. Contact us today for a free consultation to see how we can meet your security requirements!