Sidestepping SharePoint Security: Two New Techniques to Evade Exfiltration Detection

Varonis Threat Labs discovered two techniques in SharePoint that allow users to circumvent audit logs and avoid triggering download events while exfiltrating files.  

These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events. 

Technique #1: Open in App Method

The first technique uses the code enabling the “open in app” feature in SharePoint to access and download files while only leaving an access event in the file’s audit log. This method can be executed manually or automated through a PowerShell script, allowing for the rapid exfiltration of many files.  

Technique #2: SkyDriveSync User-Agent

The second technique uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while mislabeling events as file syncs instead of downloads.  

Using these techniques, threat actors could exfiltrate data while hiding their activity from audit logs, bypassing detection or policy enforcement.

Disclosure

Varonis researchers disclosed these methods to Microsoft in November 2023. At the time of publication, Microsoft designated these techniques as a “moderate” security fix and added the vulnerabilities to their patch backlog program.

On April 10, 2024, Microsoft closed out the ticket for the SharePoint method as ‘by design’ and believes that customers do not need to take action. This functionality will remain in SharePoint deployments until further notice. 

Varonis recommends that organizations closely review access events for unusual access activity, volume, new devices, or geolocations across their SharePoint and OneDrive audit logs. Our UEBA and AI features review user behavior to detect and stop suspicious activities such as the mass accessing of files in short periods.  

To raise awareness of these tactics, we will detail the methods used and provide detection strategies organizations can implement to identify and mitigate such activities. 

SharePoint and OneDrive: risks and data exfiltration 

Organizations use SharePoint and OneDrive to facilitate employee file access. However, like any file server, managing permissions can be complex. Misconfigured permissions can inadvertently grant users broader access than necessary.   

Excessive permissions and other misconfigurations routinely leave up to 10% of a company’s cloud data exposed to all employees; in some industries, such as manufacturing or finance, the number of files open to all employees can be up to 11 million.   

Threat actors take advantage of misconfigured permissions and access to exfiltrate data. There are two primary methods through which data can be exfiltrated from SharePoint and OneDrive: 

1. File downloads: Directly downloading files and folders to a local device
2. External sharing: Using SharePoint’s native features to generate an external shareable link, either by creating an anonymous link or sending a link to a specific party 

While external sharing is an attack vector with numerous detection methods available, our focus is on file downloads. We chose to focus on file downloads because the action can be automated, which increases the risk of mass data exfiltration. 

Automating file downloads for exfiltration is easily achieved with several tools (such as Azure Applications and the MSGraph API) by retrieving download URLs for files. These URLs are valid for one hour and can be used by anyone, but create a "FileDownloaded" audit log.  

While this method is an efficient way to exfiltrate files, the activity can be easily traced by looking for large amounts of "FileDownloaded" logs, making it undesirable to threat actors. Non-technical insiders might rely more on GUI functions to download files, which are also audited similarly. For threat actors and malicious insiders, accessing files is much less suspicious than downloading them.  

As part of our research, we aimed to determine which user actions generated what type of events, either security alerts or file events (e.g., open, closed, downloaded, etc.). As we developed specific attack scripts, we identified techniques that could be used to download files without triggering standard events and circumvent audit logs.

Downloading files and folders in SharePoint 

For a normal user, moving a file from SharePoint to a local computer via direct download or directory sync counts as a download. However, in SharePoint, file syncs, direct downloads, or "open-in applications” are recorded differently in the audit log.

The simplest way to download files and folders directly from a SharePoint site is via the GUI. Direct downloads generate a download event in the audit log. Security products and vendors use these audit logs and events to monitor and detect threat actors and/or policy violations.  

An example log showing the recorded "FileDownloaded" activity along with other data.

It’s important to note that downloading a file uses the browser's User-Agent versus downloading a folder (which comes in a zip file), which uses the distinct User-Agent “OneDriveMpc-Transform_Zip/1.0”. This information can be valuable during investigations, as the User-Agent reveals the method employed to download the content.

In addition to the direct download method, there is a less conspicuous way of transferring files to a local machine. This involves using the “open in app” feature: 

Opening a file in an application allows access to data without triggering a download event.

Opening a file in an app on a computer or saving a local copy does not create a "FileDownloaded" audit log, even though the file is still downloaded to the computer. 

Exfiltrating data in SharePoint 

By combining PowerShell with SharePoint client object model (CSOM), threat actors can write a script that fetches the file from the cloud and saves it to the local computer without leaving a download log footprint: 

Using PowerShell script, an entire SharePoint site can be exfiltrated automatically.

This script can be extended to map an entire SharePoint site and, using automation, download all the files to the local machine. While this method does not generate download logs, it does create access logs, which can be used to detect such activities.

Despite each file being downloaded, logs only show the files being accessed. 

Alternatively, when opening a document locally in the app from SharePoint, we can see in the browser’s network logs that a shell command is issued, which designates which cloud file to access and the method to open it. 

Opening a document in an application from SharePoint uses a shell command to open a URL to the specific document.

The shell command, seen above, instructs Windows to open the Excel application (or the relevant Microsoft app) and load the document via the provided link; clicking the link gives the user an option to download the file: 

The URLs used during the "open in app" process within SharePoint can be copied and used directly. 

This link is persistent, without expiration, and accessing it does not create a “FileDownloaded” audit log. However, like the previous PowerShell method, clicking on the link does generate a “FileAccessed" log.

In essence, the PowerShell script and direct link access are the same, particularly regarding the audit logs generated.

However, unless a user downloads large volumes of files quickly, these methods will likely create only conspicuous amounts of access logs, allowing such activities to go relatively unnoticed by detection rules focused on download logs.  

Data exfiltration using “FileSync” and OneDrive  

In addition to the methods mentioned above, Varonis discovered another way to exfiltrate data while avoiding detection, using a less monitored type of event.

Unlike manual downloads, file synchronization with SharePoint facilitates the automatic replication of files between the cloud and a local PC without direct user intervention. That means if changes are made to a file in SharePoint, those same changes will reflect in the local copy, and vice-versa. In some cases, particularly within organizational settings, OneDrive might already be configured to sync files automatically.

Syncing files from SharePoint is a straightforward process that can be initiated with a simple click: 

An example of a SharePoint site and the Sync function. 

Locally on the PC, the OneDrive.exe manages the file synchronization between the local environment and the cloud. These synchronization actions generate their own distinct logs: events for synced uploads are logged as “FileSyncUploadedFull,” and synced downloads are recorded as “FileSyncDownloadedFull.” In SharePoint, manual upload and download events are logged as “FileUploaded” and “FileDownloaded.”

While we’ve reviewed the different types of download and upload records from SharePoint, we haven’t yet covered how SharePoint can distinguish between those events. So, how does SharePoint differentiate between synced files and manually uploaded files? The key factor is the User-Agent.

Synchronization events use a distinct User-Agent, Microsoft SkyDriveSync, and every upload or download event using this User-Agent is classified as a sync event. Even manual GUI events like using the download button, if forced to use the SkyDriveSync User-Agent, will be classified as a sync event.

Exfiltration can be hidden under routine sync events by altering the browser agent used to download files. 

By altering the browser's User-Agent, it's possible to download files via conventional methods, like the GUI or Microsoft Graph API, and have them appear in logs as sync events “FileSyncDownloadedFull” instead of standard download events “FileDownloaded.” This can be automated via a PowerShell script as well. This tactic is particularly effective if malicious file download detections are configured to ignore sync events. By spoofing the User-Agent, one can circumvent these detections.

The file sync method does not create access logs, sidestepping the detection measures associated with the "open in app” method. The file sync method is a more subtle technique that allows an attacker to exfiltrate data without raising suspicion. 

Detection methods 

To summarize, download logs are unreliable and easy to bypass. An attacker can avoid the creation of “FileDownloaded” logs at the expense of creating much less suspicious “FileAccessed” logs by abusing the User-Agent for the “open in app” feature.

Also, attackers can use the User-Agent for SkyDriveSync to download files, avoiding creating “FileDownloaded” logs at the expense of creating more discreet “FileSyncDownloadedFull” logs.

Considering these two cases, we have a couple of approaches to detect suspicious behavior that uses these techniques.

Evading the “FileDownloaded” log will create an access log instead. This means that large amounts of access or abnormal access audit logs could signal unauthorized downloads and possible data exfiltration.

If existing detection systems are configured to overlook sync events, new detection rules must incorporate sync events into their monitoring to detect disguised downloads. Threat hunters and security teams cannot rely solely on audit logs to indicate whether sync events are legitimate or cloaked download activities. Instead, detection rules should consider behavioral patterns, which could include: 

• The typical frequency and volume of a user's sync activity
• The usual devices used for sync operations
• Syncs from a new geolocation
• The specific folders typically synchronized to a user's account 

By analyzing these behavioral parameters, you can detect anomalies that suggest someone is manipulating sync events. For instance, an unexpected spike in sync activity from a device not commonly used or synchronization of unusually large amounts of sensitive folders that are not part of the user's normal workflow could be red flags. 

How Varonis can help 

Varonis monitors real-time data activity, giving you a complete, searchable audit trail of events across your cloud and on-prem data. Hundreds of expert-built threat models automatically detect anomalies, alerting you to unusual file access activity, new devices, geo-hopping, and much more.  

Varonis also offers Managed Data Detection and Response (MDDR), providing 24/7/365 data security expertise and incident response. Our UEBA and AI features review user behavior to detect and stop suspicious activities such as the mass accessing of files in short periods.