www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functiona...
Submission: On October 11 via api from US — Scanned from DE
Submission: On October 11 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form><form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_185044_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_0" id="LblmktoCheckbox_185044_0">All</label><input name="blogInterest" id="mktoCheckbox_185044_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_1" id="LblmktoCheckbox_185044_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_185044_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_2" id="LblmktoCheckbox_185044_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_185044_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_3" id="LblmktoCheckbox_185044_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_185044_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_4" id="LblmktoCheckbox_185044_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_185044_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_5" id="LblmktoCheckbox_185044_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_185044_6" type="checkbox" value="Engineering Insights"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_6" id="LblmktoCheckbox_185044_6">Engineering Insights</label><input name="blogInterest" id="mktoCheckbox_185044_7" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_7" id="LblmktoCheckbox_185044_7">Information Protection</label><input name="blogInterest" id="mktoCheckbox_185044_8" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_8" id="LblmktoCheckbox_185044_8">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_185044_9" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_9" id="LblmktoCheckbox_185044_9">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_185044_10" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_10" id="LblmktoCheckbox_185044_10">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_185044_11" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_11" id="LblmktoCheckbox_185044_11">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_185044_12" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_12 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_12" id="LblmktoCheckbox_185044_12">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="1147964321.1665447967">
</form><form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Skip to main content
Products Solutions Partners Resources Company ContactLanguages
Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence
Proofpoint Essentials Sendmail Support Log-in
Main Menu
EMAIL SECURITY AND PROTECTION
Defend against threats, ensure business continuity, and implement email
policies.
ADVANCED THREAT PROTECTION
Protect against email, mobile, social and desktop threats.
SECURITY AWARENESS TRAINING
Engage your users and turn them into a strong line of defense against phishing
and other cyber attacks.
CLOUD SECURITY
Defend against threats, protect your data, and secure access.
COMPLIANCE AND ARCHIVING
Reduce risk, control costs and improve data visibility to ensure compliance.
INFORMATION PROTECTION
Protect from data loss by negligent, compromised, and malicious users.
DIGITAL RISK PROTECTION
Protect against digital security risks across web domains, social media and the
deep and dark web.
PREMIUM SECURITY SERVICES
Get deeper insight with on-call, personalized assistance from our expert team.
RANSOMWARE HUB
Stop ransomware in its tracks with the free research and resources in our
Ransomware Hub.
Learn More
SOLUTIONS BY TOPIC
COMBAT EMAIL AND CLOUD THREATS
Protect your people from email and cloud threats with an intelligent and
holistic approach.
CHANGE USER BEHAVIOR
Help your employees identify, resist and report attacks before the damage is
done.
COMBAT DATA LOSS AND INSIDER RISK
Prevent data loss via negligent, compromised and malicious insiders by
correlating content, behavior and threats.
MODERNIZE COMPLIANCE AND ARCHIVING
Manage risk and data retention needs with a modern compliance and archiving
solution.
PROTECT CLOUD APPS
Keep your people and their cloud apps secure by eliminating threats, avoiding
data loss and mitigating compliance risk.
PREVENT LOSS FROM RANSOMWARE
Learn about this growing threat and stop attacks by securing today’s top
ransomware vector: email.
SECURE MICROSOFT 365
Implement the very best security and compliance solution for your Microsoft 365
collaboration suite.
DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE
Secure access to corporate resources and ensure business continuity for your
remote workers.
WHY PROOFPOINT
Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.
SOLUTIONS BY INDUSTRY
Federal Government State and Local Government Higher Education Financial
Services Healthcare Mobile Operators Internet Service Providers Small and Medium
Businesses
PARTNER PROGRAMS
CHANNEL PARTNERS
Become a channel partner. Deliver Proofpoint solutions to your customers and
grow your business.
ARCHIVE EXTRACTION PARTNERS
Learn about the benefits of becoming a Proofpoint Extraction Partner.
GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS
Learn about our global consulting and services partners that deliver fully
managed and integrated solutions.
TECHNOLOGY AND ALLIANCE PARTNERS
Learn about our relationships with industry-leading firms to help protect your
people, data and brand.
SOCIAL MEDIA PROTECTION PARTNERS
Learn about the technology and alliance partners in our Social Media Protection
Partner program.
PROOFPOINT ESSENTIALS PARTNER PROGRAMS
Small Business Solutions for channel partners and MSPs.
PARTNER TOOLS
Become a Channel Partner Channel Partner Portal
RESOURCE LIBRARY
Find the information you're looking for in our library of videos, data sheets,
white papers and more.
BLOG
Keep up with the latest news and happenings in the ever‑evolving cybersecurity
landscape.
PODCASTS
Learn about the human side of cybersecurity. Episodes feature insights from
experts and executives.
THREAT GLOSSARY
Learn about the latest security threats and how to protect your people, data,
and brand.
EVENTS
Connect with us at events to learn how to protect your people and data from
ever‑evolving threats.
CUSTOMER STORIES
Read how Proofpoint customers around the globe solve their most pressing
cybersecurity challenges.
WEBINARS
Browse our webinar library to learn about the latest threats, trends and issues
in cybersecurity.
Watch now to earn your CPE credits
SECURITY HUBS
Get free research and resources to help you protect against threats, build a
security culture, and stop ransomware in its tracks.
Threat Hub
CISO Hub
Cybersecurity Awareness Hub
Ransomware Hub
Insider Threat Management Hub
ABOUT PROOFPOINT
Proofpoint is a leading cybersecurity company that protects organizations'
greatest assets and biggest risks: their people.
WHY PROOFPOINT
Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.
CAREERS
Stand out and make a difference at one of the world's leading cybersecurity
companies.
NEWS CENTER
Read the latest press releases, news stories and media highlights about
Proofpoint.
PRIVACY AND TRUST
Learn about how we handle data and make commitments to privacy and other
regulations.
ENVIRONMENTAL, SOCIAL, AND GOVERNANCE
Learn about our people-centric principles and how we implement them to
positively impact our global community.
SUPPORT
Access the full range of Proofpoint support services.
Learn More
English (US) English (UK) English (AU) Español Deutsch Français Italiano
Português 日本語 한국어
Products
Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response
Auto-Pull Sendmail Open Source Essentials for Small Business
Overview Targeted Attack Protection in Email Email Isolation Threat Response
Emerging Threats Intelligence
Overview Assess Change Behavior Evaluate
Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web
Security
Overview Automate Capture Patrol Track Archive Discover Supervision
Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management
Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP)
Email Data Loss Prevention (DLP) Email Encryption Data Discover
Overview Social Media Protection Domain Fraud Monitoring Executive and Location
Threat Monitoring
Overview Technical Account Managers Proofpoint Threat Information Services
Managed Services for Security Awareness Training People-Centric Security Program
Managed Email Security Managed Services for Information Protection Insider
Threat Management Services Compliance and Archiving Services Consultative
Services
Products Solutions Partners Resources Company
English (US) English (UK) English (AU) Español Deutsch Français Italiano
Português 日本語 한국어
Login
Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence
Proofpoint Essentials Sendmail Support Log-in
Contact
EMAIL SECURITY AND PROTECTION
Defend against threats, ensure business continuity, and implement email
policies.
ADVANCED THREAT PROTECTION
Protect against email, mobile, social and desktop threats.
SECURITY AWARENESS TRAINING
Engage your users and turn them into a strong line of defense against phishing
and other cyber attacks.
CLOUD SECURITY
Defend against threats, protect your data, and secure access.
COMPLIANCE AND ARCHIVING
Reduce risk, control costs and improve data visibility to ensure compliance.
INFORMATION PROTECTION
Protect from data loss by negligent, compromised, and malicious users.
DIGITAL RISK PROTECTION
Protect against digital security risks across web domains, social media and the
deep and dark web.
PREMIUM SECURITY SERVICES
Get deeper insight with on-call, personalized assistance from our expert team.
Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response
Auto-Pull Sendmail Open Source Essentials for Small Business
Overview Targeted Attack Protection in Email Email Isolation Threat Response
Emerging Threats Intelligence
Overview Assess Change Behavior Evaluate
Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web
Security
Overview Automate Capture Patrol Track Archive Discover Supervision
Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management
Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP)
Email Data Loss Prevention (DLP) Email Encryption Data Discover
Overview Social Media Protection Domain Fraud Monitoring Executive and Location
Threat Monitoring
Overview Technical Account Managers Proofpoint Threat Information Services
Managed Services for Security Awareness Training People-Centric Security Program
Managed Email Security Managed Services for Information Protection Insider
Threat Management Services Compliance and Archiving Services Consultative
Services
RANSOMWARE HUB
Stop ransomware in its tracks with the free research and resources in our
Ransomware Hub.
Learn More
SOLUTIONS BY TOPIC
COMBAT EMAIL AND CLOUD THREATS
Protect your people from email and cloud threats with an intelligent and
holistic approach.
CHANGE USER BEHAVIOR
Help your employees identify, resist and report attacks before the damage is
done.
COMBAT DATA LOSS AND INSIDER RISK
Prevent data loss via negligent, compromised and malicious insiders by
correlating content, behavior and threats.
MODERNIZE COMPLIANCE AND ARCHIVING
Manage risk and data retention needs with a modern compliance and archiving
solution.
PROTECT CLOUD APPS
Keep your people and their cloud apps secure by eliminating threats, avoiding
data loss and mitigating compliance risk.
PREVENT LOSS FROM RANSOMWARE
Learn about this growing threat and stop attacks by securing today’s top
ransomware vector: email.
SECURE MICROSOFT 365
Implement the very best security and compliance solution for your Microsoft 365
collaboration suite.
DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE
Secure access to corporate resources and ensure business continuity for your
remote workers.
WHY PROOFPOINT
Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.
SOLUTIONS BY INDUSTRY
Federal Government State and Local Government Higher Education Financial
Services Healthcare Mobile Operators Internet Service Providers Small and Medium
Businesses
PARTNER PROGRAMS
CHANNEL PARTNERS
Become a channel partner. Deliver Proofpoint solutions to your customers and
grow your business.
ARCHIVE EXTRACTION PARTNERS
Learn about the benefits of becoming a Proofpoint Extraction Partner.
GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS
Learn about our global consulting and services partners that deliver fully
managed and integrated solutions.
TECHNOLOGY AND ALLIANCE PARTNERS
Learn about our relationships with industry-leading firms to help protect your
people, data and brand.
SOCIAL MEDIA PROTECTION PARTNERS
Learn about the technology and alliance partners in our Social Media Protection
Partner program.
PROOFPOINT ESSENTIALS PARTNER PROGRAMS
Small Business Solutions for channel partners and MSPs.
PARTNER TOOLS
Become a Channel Partner Channel Partner Portal
RESOURCE LIBRARY
Find the information you're looking for in our library of videos, data sheets,
white papers and more.
BLOG
Keep up with the latest news and happenings in the ever‑evolving cybersecurity
landscape.
PODCASTS
Learn about the human side of cybersecurity. Episodes feature insights from
experts and executives.
THREAT GLOSSARY
Learn about the latest security threats and how to protect your people, data,
and brand.
EVENTS
Connect with us at events to learn how to protect your people and data from
ever‑evolving threats.
CUSTOMER STORIES
Read how Proofpoint customers around the globe solve their most pressing
cybersecurity challenges.
WEBINARS
Browse our webinar library to learn about the latest threats, trends and issues
in cybersecurity.
Watch now to earn your CPE credits
SECURITY HUBS
Get free research and resources to help you protect against threats, build a
security culture, and stop ransomware in its tracks.
Threat Hub
CISO Hub
Cybersecurity Awareness Hub
Ransomware Hub
Insider Threat Management Hub
ABOUT PROOFPOINT
Proofpoint is a leading cybersecurity company that protects organizations'
greatest assets and biggest risks: their people.
WHY PROOFPOINT
Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.
CAREERS
Stand out and make a difference at one of the world's leading cybersecurity
companies.
NEWS CENTER
Read the latest press releases, news stories and media highlights about
Proofpoint.
PRIVACY AND TRUST
Learn about how we handle data and make commitments to privacy and other
regulations.
ENVIRONMENTAL, SOCIAL, AND GOVERNANCE
Learn about our people-centric principles and how we implement them to
positively impact our global community.
SUPPORT
Access the full range of Proofpoint support services.
Learn More
Zeigen Sie weiterhin Inhalte für Ihren Standort an
United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen
Blog
Cloud Security
Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality
that can Ransom Files Stored on SharePoint and OneDrive
PROOFPOINT DISCOVERS POTENTIALLY DANGEROUS MICROSOFT OFFICE 365 FUNCTIONALITY
THAT CAN RANSOM FILES STORED ON SHAREPOINT AND ONEDRIVE
Share with your network!
Facebook Twitter LinkedIn Email App
June 16, 2022 Or Safran, David Krispin, Assaf Friedman and Saikrishna Chavali
Ransomware attacks have traditionally targeted data across endpoints or network
drives. Until now, IT and security teams felt that cloud drives would be more
resilient to ransomware attacks. After all, the now-familiar “AutoSave” feature
along with versioning and the good old recycle bin for files should have been
sufficient as backups. However, that may not be the case for much longer.
Proofpoint has discovered a potentially dangerous piece of functionality in
Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on
SharePoint and OneDrive in a way that makes them unrecoverable without dedicated
backups or a decryption key from the attacker.
Our research focused on two of the most popular enterprise cloud apps -
SharePoint Online and OneDrive within the Microsoft 365 and Office 365 suites
and shows that ransomware actors can now target organizations’ data in the cloud
and launch attacks on cloud infrastructure.
CLOUD RANSOMWARE ATTACK CHAIN
THE ATTACK CHAIN
Proofpoint has identified the attack chain and documented the steps below. Once
executed, the attack encrypts the files in the compromised users’ accounts. Like
with endpoint ransomware activity, those files can only be retrieved with
decryption keys.
The actions outlined below can be automated using Microsoft APIs, command line
interface (CLI) scripts and PowerShell scripts.
1. Initial Access: Gain access to one or more users’ SharePoint Online or
OneDrive accounts by compromising or hijacking users’ identities.
2. Account Takeover & Discovery: The attacker now has access to any file owned
by the compromised user or controlled by the third-party OAuth application
(which would include the user’s OneDrive account as well).
3. Collection & Exfiltration: Reduce versioning limit of files to a low number
such as 1, to keep it easy. Encrypt the file more times than the versioning
limit. With the example limit of 1, encrypt the file twice. This step is
unique to cloud ransomware compared to the attack chain for endpoint-based
ransomware. In some cases, the attacker may exfiltrate the unencrypted files
as part of a double extortion tactic.
4. Monetization: Now all original (pre-attacker) versions of the files are
lost, leaving only the encrypted versions of each file in the cloud account.
At this point, the attacker can ask for a ransom from the organization.
Figure 1: Cloud ransomware attack chain diagram. The collection and exfiltration
phase is unique to Microsoft environments.
LISTS AND DOCUMENT LIBRARIES: MICROSOFT TERMS FOR STORAGE CONTAINERS INSIDE
SHAREPOINT ONLINE SITES AND ONEDRIVE ACCOUNTS
A list is a Microsoft web part that stores content such as tasks, calendars,
issues, photos, files and more within SharePoint Online. OneDrive accounts are
used mainly to store documents.
Document library is the term most associated with OneDrive. A document
library is a special type of list on a SharePoint site or OneDrive account where
you can upload, create, update and collaborate on documents with team members.
The version settings for lists and document libraries are both found under list
settings. In the cloud ransomware attack chain outlined earlier in this post, we
describe the collection and exfiltration step. This is point in the attack chain
when the malicious actor modifies the list settings that will affect all files
within the document library.
DOCUMENT LIBRARY VERSIONING MECHANISM
Every document library in SharePoint Online and OneDrive has a user-configurable
setting for numbers of saved versions. The site owner can change this setting,
and they don’t need to hold an administrator role or associated privileges to do
so. The versioning settings are under list settings for each document library.
Figure 2: Versioning settings for document libraries.
Link: https://support.microsoft.com/en-us/office/enable-and-configure-versioning-for-a-list-or-library-1555d642-23ee-446a-990a-bcab618c7a37
By design, when you reduce the document library version limit, any further
changes to the files in the document library will result in older versions
becoming very hard to restore. (For more on this topic, see the “Responsible
disclosure and discussion” section at the end of this post.)
There are two ways to abuse the versioning mechanism to achieve malicious aims –
creating too many versions of a file or reducing the version limits of a
document library. Edits that increment a version of a file include changes to
the document contents, filename, file metadata and the file encryption status.
The method of too many file versions created works as such:
* Staging: Most OneDrive accounts have a default version limit of 500. An
attacker could edit files within a document library 501 times. Now, the
original (pre-attacker) version of each file is 501 versions old, and
therefore no longer restorable.
* Data encryption: Encrypt the file(s) after each of the 501 edits. Now all 500
restorable versions are encrypted. Organizations cannot independently restore
the original (pre-attacker) version of the files even if they attempt to
increase version limits beyond the number of versions edited by the attacker.
In this case, even if the version limit was increased to 501 or more, the
file(s) saved 501 versions or older cannot be restored.
Encrypting files 500+ times is unlikely to be seen in the wild. It requires more
scripting and more machine resources while making your operation easier to
detect than the next method.
The method of reducing document library versioning works as such:
* Staging: Reduce document library versioning number to a low number such as 1,
to keep it easy. This means only the most recent version of the file before
the last edit is saved and can be restored by a user.
* Data Encryption: Edit each file twice - either by encrypting the file twice
or a combination of encryption, major content changes and file metadata
changes. This will ensure an organization cannot restore the original
(pre-attacker) versions of the file without the decryption key from the
attacker.
Setting the version limit to zero is red herring and will not delete the
versions. The versions will be available to the user in one simple step. Reset
the version limit or manually switch it off and back on.
Files stored in a hybrid state on both endpoint and cloud, such as through cloud
sync folders, will reduce the impact of this novel risks as the attacker won’t
have access to the local and endpoint files. To perform a full ransom flow, the
attacker will have to compromise the endpoint and the cloud account to access
the endpoint and cloud-stored files.
INITIAL ACCESS TO SHAREPOINT ONLINE AND ONEDRIVE USER ACCOUNTS
The three most common paths attackers would take to gain access to one or more
users’ SharePoint Online or OneDrive accounts are:
* Account compromise: Directly compromising the users’ credentials to their
cloud account(s) through phishing, brute-force attacks and other credential
compromise tactics.
* Third-party OAuth applications: Tricking a user to authorize third-party
OAuth apps with application scopes for SharePoint or OneDrive access.
* Hijacked sessions: Either hijacking the web session of a logged-in user or
hijacking a live API token for SharePoint Online and/or OneDrive.
PROTECTING YOUR ORGANIZATION AND SENSITIVE DATA FROM ACTIONS LEADING TO CLOUD
RANSOMWARE
Fortunately, many of the recommendations outlined below should look similar to
the best practices your organizations already would employ to deal with
ransomware on endpoints. We will emphasize the differences when it comes to
protecting your cloud environments.
First, turn on detection of risky file configuration changes for Office 365
accounts with Proofpoint Cloud App Security Broker (CASB). While a user can
accidentally change the setting, it’s not common behavior. If users change it
unknowingly, they should be made aware and ideally increase the version limit.
This will reduce the risk of an attacker compromising users and taking advantage
of already low version limits for those users’ lists.
Second, improve security hygiene around ransomware. This includes addressing:
* Very Attacked People™: Use Proofpoint Targeted Attack Protection (TAP) to
identify and prioritize greater protection for users who face the highest
number of and most threatening cloud, email and web attacks. These users can
be outside your list of very important people such as executives and
privileged users.
* Access management: Maintain a strong password policy, increase the use of
multi-factor authentication (MFA) and instill a least-privilege,
principles-based access policy across cloud applications.
* Disaster recovery and backup: Update disaster recovery and data backup
policies to reduce losses in case of a ransomware attack. Ideally, complete
external backups of cloud files with sensitive data regularly. Don’t rely
only on Microsoft to provide backups through versioning of document
libraries.
* Cloud security: Detect and remediate account compromises and third-party
application abuse. Proofpoint CASB integrates with Proofpoint Nexus Threat
Graph and third-party threat intelligence to stop account takeovers and
third-party application abuse.
* Data loss prevention: Prevent sensitive data downloads and large-scale data
downloads to unmanaged devices to reduce the potential for double-extortion
tactics in ransomware. Proofpoint CASB provides customizable policies to help
you protect your data on unmanaged devices. And Proofpoint Insider Threat
Management helps you teach negligent users better security practices and
collect evidence on malicious insiders if they make configuration changes.
And finally, you may want to add the following to your response and
investigation strategies, in case the risky configurations’ change detectors are
triggered:
* Increase restorable versions for the affected document libraries in your M365
or O365 settings immediately.
* Look for any previous account compromise or risky configuration change alerts
for the affected Office 365 account.
* Hunt for suspicious third-party app activity. If found, revoke OAuth tokens
for malicious or unused third-party apps in the environment.
* Identify other risky behavior patterns associated with the users(s) across
cloud, email, web and endpoint, such as negligence in handling sensitive data
or risky data movement.
RESPONSIBLE DISCLOSURE AND DISCUSSION
Prior to this blog, Proofpoint followed Microsoft’s disclosure path and received
a couple of responses.
Their claims are as follows:
* The configuration functionality for versioning settings within lists is
working as intended
* Older versions of files can be potentially recovered and restored for an
additional 14 days with the assistance of Microsoft Support.
However, Proofpoint attempted to retrieve and restore old versions through this
process (i.e., with Microsoft Support) and was not successful. Secondly, even if
the versioning settings configuration workflow is as intended, Proofpoint has
shown that it can be abused by attackers towards cloud ransomware aims.
For more information on how Proofpoint can protect against ransomware, visit our
Ransomware Hub.
Previous Blog Post
Next Blog Post
Subscribe to the Proofpoint Blog
*
Business Email:
Select
*
Blog Interest:
AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail
and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat
ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity
BriefsThreat Insight
Submit
ABOUT
* Overview
* Why Proofpoint
* Careers
* Leadership Team
* News Center
* Nexus Platform
* Privacy and Trust
THREAT CENTER
* Threat Hub
* Cybersecurity Awareness Hub
* Ransomware Hub
* Threat Glossary
* Threat Blog
* Daily Ruleset
PRODUCTS
* Email Security & Protection
* Advanced Threat Protection
* Security Awareness Training
* Cloud Security
* Archive & Compliance
* Information Protection
* Digital Risk Protection
* Product Bundles
RESOURCES
* White Papers
* Webinars
* Data Sheets
* Events
* Customer Stories
* Blog
* Free Trial
CONNECT
* +1-408-517-4710
* Contact Us
* Office Locations
* Request a Demo
SUPPORT
* Support Login
* Support Services
* IP Address Blocked?
* Facebook
* Twitter
* linkedin
* Youtube
* English (US)
* English (UK)
* English (AU)
* Español
* Deutsch
* Français
* Italiano
* Português
* 日本語
* 한국어
© 2022. All rights reserved. Terms and conditions Privacy Policy Sitemap