Company Varonis has identified two methods that can be used to bypass audit logs or create less noticeable entries when downloading files from Sharepoint.
The first method involves utilizing the Sharepoint function to “open in the application”, allowing users to open documents in Word rather than a web browser. This action results in generating “access” events in the audit logs instead of “download” events, which administrators may overlook. Furthermore, the URL obtained through this method does not have an expiration period, enabling unrestricted file downloads.
Multiple access events are generated as a result of a series of file exfiltration activities.
The second method involves altering the user-agent line when requesting file access, making file uploads through a browser or Microsoft Graph API appear as data synchronization events (such as Microsoft SkyDriveSync). This tactic reduces suspicion from security services.
Varonis disclosed these vulnerabilities to Microsoft in November 2023, and the company has included them in the list of issues to be addressed in the future, classifying them as “non-urgent.”
Varonis advises monitoring high levels of access activity within a short timeframe and the appearance of new devices from unusual locations, as these could indicate unauthorized data extraction. Careful examination of synchronization events for anomalies in frequency and data volumes is also recommended.
Microsoft has confirmed that Sharepoint is functioning correctly, with file access being recorded in audit logs. The company suggests using events like FileAccessed, FileDownloaded, FileSyncDownloadedFull, and FileSyncDownloadedPartial to monitor file access.