Connect with us

Hi, what are you looking for?



SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

SharePoint Online (Office 365) Ransomware Attach

Cybersecurity firm Obsidian has observed a successful ransomware attack against Sharepoint Online (Microsoft 365) via a Microsoft Global SaaS admin account rather than the more usual route of a compromised endpoint.

The attack was analyzed post-compromise when the victim employed the Obsidian product and research team to determine the finer points of the attack. In its blog account of the incident, Obsidian did not disclose the victim, but believes the attacker was the group known as 0mega.

Once in, the attacker created a new Active Directory (AD) user called Omega with elevated privileges, including Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator; and site collection administrator capabilities to multiple Sharepoint sites and collections. The attacker also removed existing administrators (more than 200) in a 2-hour period.

Sharepoint ransomware attack

The attack involved only the theft of files rather than theft followed by encryption. After exfiltrating hundreds of files, the attacker then uploaded thousands of PREVENT-LEAKAGE.txt files. These were to alert the victim to the theft and provide a means of communicating with the attacker; that is, to negotiate a payment to avoid having the details published online.

Obsidian suspects this might be the beginning of a trend. “We expect this trend to grow,” the researchers told SecurityWeek. “The attacker invested the time to build automation for this attack, which implies a desire to use this capability in the future. We also suspect it will grow because there are few companies with a strong SaaS security program, whereas many companies are well invested in endpoint security products.”

Relying on data theft alone rather than theft followed by encryption is a growing practice. It avoids the attacker getting a bad reputation through failed decryption routines, and is easier to administer.

Obsidian believes the Omega group (recognizable by the created account name, other observables, and the infrastructure used) was behind the attack. Omega became visible in July 2022 when a report noted it was using double extortion (ransomware plus data theft), and had a leaks site claiming 152 GB of data stolen from an electronics repair company in May 2022.

If Obsidian is correct in pointing the finger at Omega, we may yet learn the identity of the victim through the data leaks site if it refuses to pay the ransom.

Advertisement. Scroll to continue reading.

The apparently obvious moral to this attack is to use MFA – preferably for all accounts, but most especially for highly privileged accounts. Credentials can be obtained by bad actors from many sources: from their own phishing exercise, by guesswork, from dark web credential databases, or from criminal access brokers. The requirement for MFA makes the use of stolen credentials more difficult – but not, says Obsidian, impossible.

“Even if the administrative account had MFA enabled, the attacker could have obtained or paid for the password on a forum, and then performed MFA push fatigue attacks,” said the researchers. “Ultimately” they added, “companies can further harden their environments against these attacks; for example, by using phishless technologies like WebAuthn.”

“Companies,” concludes the report, “pour hundreds of thousands to millions of dollars into SaaS to enable their business, commonly entrusting regulated, confidential, and otherwise sensitive information to these applications. While meaningful progress has been made on endpoint, network, and cloud threat detection, SaaS threat detection remains an area that many companies are still only beginning to consider.”

It recommends hardening SaaS controls, roping in excessive privileges, and revoking unsanctioned or high risk integrations; together with consolidation and analysis of associated SaaS audit/activity logs to uncover patterns consistent with a breach, an insider threat, or a compromised third-party integration.

Related: Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations

Related: Western Digital Confirms Ransomware Group Stole Customer Information

Related: Payments Giant NCR Hit by Ransomware

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.