April 9, 2024 at 11:37AM
Researchers at Varonis have uncovered two techniques for attackers to evade SharePoint audit logs when downloading files. By using the “Open in App” feature or spoofing the User-Agent string, they can generate less severe or misleading events. Microsoft has acknowledged these issues but rated them as moderate, so organizations are advised to monitor and mitigate these risks until patches are available.
From the meeting notes, I have distilled the following key points:
1. Researchers have discovered two techniques that can enable attackers to bypass audit logs or generate less sensitive entries when downloading files from Microsoft SharePoint.
2. The first technique involves taking advantage of SharePoint’s “Open in App” feature, which allows users to open documents with applications like Microsoft Word instead of using the web browser, thus creating an “Access” event rather than a “FileDownloaded” event in the audit logs.
3. The second technique involves spoofing the User-Agent string of file access requests to mimic Microsoft SkyDriveSync, making the file downloads appear as data syncing events in the logs.
4. Varonis disclosed these bugs in November 2023, and Microsoft has added the flaws to a patch backlog for future fixing, but they are rated as moderate severity and won’t receive immediate fixes.
5. Recommendations for mitigation include monitoring high volumes of access activity within a short timeframe, scrutinizing sync events for anomalies, and identifying unusual activity patterns.
If you require any further information or action points based on these takeaways, please let me know.