Conference:  Defcon 31

Authors: Dr Nestori Syynimaa Senior Principal Security Researcher, Secureworks

2023-08-01

Microsoft SharePoint Online (SPO) is a cloud-based service that helps organizations share and manage content. It is also used as backend file storage for other Microsoft online services, such as Microsoft 365 Groups, OneDrive, and Teams. Microsoft offers tools such as Migration Manager and SharePoint Migration Tool (SPMT) to ease migrating files from on-premises file servers to SPO, OneDrive, and Teams. Both tools use the same background APIs to perform the data migration. Technically, the migration is leveraging the built-in Granular Backup feature of on-premises SharePoint, which allows exporting and importing individual SharePoint sites and lists. The Granular Backup feature is not available in SharePoint Online. In this talk, I'll show how threat actors can leverage SPO migration APIs to break the integrity of all Microsoft online services that use SPO as storage. Threat actors can spoof new content and tamper with existing content, and inject custom code to perform XSS attacks. This, in turn, enables elevation-of-privilege attacks to all Microsoft Online services, including Azure Active Directory. And all this as a regular user.