Microsoft SharePoint Online is one of the most widely used content management platforms. Unfortunately, Proofpoint recently discovered that threat actors can abuse a feature in SharePoint Online and OneDrive for Business to encrypt all of your files and hold them ransom. 

The security loophole

The feature with the potential loophole is file versioning, available on SharePoint Online and OneDrive for Business sites. The feature was designed to allow users to revert any document to any of its previous versions instantly. However, this feature can be used for nefarious reasons by threat actors.


How is file versioning vulnerable?

Files in SharePoint Online and OneDrive for Business are stored in list and document libraries. Every document library has a setting where the number of saved versions can be configured. The potential vulnerability arises because administrative privileges aren’t required to modify the versioning settings. Any user with site owner settings can modify the number of versions that can be stored.

Like any attack, the first step is to gain access, which is done either by using stolen credentials or by tricking users into providing the required access through OAuth apps. Once the threat actor manages to get access to a site owner’s account, they can modify the number of versions to as low as two. After this change, SharePoint Online and OneDrive for Business will only maintain the last two versions. The threat actor can then modify the files twice and encrypt them, thereby ensuring all legitimate changes are erased from the Microsoft 365 ecosystem. Additionally, the threat actor can hold your files ransom.


Insuring your data against ransomware attacks

It is not humanly possible to prevent all attacks all the time because one minor slipup from a user or a zero-day vulnerability is all it takes for threat actors to wreak havoc on your data. The best defense against any attack is having a backup of all your data.

Even if malware reduces the number of file versions or encrypts all the files on your sites, a solution like ManageEngine RecoveryManager Plus can back up all parts of your Microsoft 365 environment, allowing you to restore all your SharePoint Online and OneDrive for Business sites to a point in time before the malware attack. With its incremental backups, granular and complete restoration, modifiable retention policies, and varied storage media, RecoveryManager Plus can insure your SharePoint Online and OneDrive for Business sites against any malware attacks.


RecoveryManager Plus can help you protect not just your Microsoft 365 data but also the data of all other enterprise applications, such as Active Directory, Azure Active Directory, Google Workspace, and on-premises Exchange. If you would like to learn more, sign up for a personalized demo with our product experts who will explain how RecoveryManager Plus can fortify your enterprise disaster recovery strategy.