Researchers Uncover Techniques to Stealthily Steal Data from SharePoint Without Triggering Alerts
-
Researchers found techniques to bypass SharePoint audit logs or generate less severe log entries when downloading files. This enables stealthy data exfiltration.
-
The "Open in App" feature doesn't log a "FileDownloaded" event. It logs an "Access" event that may be ignored.
-
Spoofing the User-Agent string to mimic a sync service makes downloads appear as sync events, avoiding scrutiny.
-
Microsoft rated the flaws as moderate severity so fixes aren't imminent. Admins should monitor for signs of unauthorized access.
-
Varonis recommends watching for spikes in access activity, new unfamiliar devices, and anomalies in sync event frequency/volume.