From Feature to Weapon: Breaking Microsoft Teams and SharePoint Integrity

Presented at DEF CON 31 (2023), Aug. 12, 2023, noon (45 minutes)

Microsoft SharePoint Online (SPO) is a cloud-based service that helps organizations share and manage content. It is also used as backend file storage for other Microsoft online services, such as Microsoft 365 Groups, OneDrive, and Teams. Microsoft offers tools such as Migration Manager and SharePoint Migration Tool (SPMT) to ease migrating files from on-premises file servers to SPO, OneDrive, and Teams. Both tools use the same background APIs to perform the data migration. Technically, the migration is leveraging the built-in Granular Backup feature of on-premises SharePoint, which allows exporting and importing individual SharePoint sites and lists. The Granular Backup feature is not available in SharePoint Online. In this talk, I'll show how threat actors can leverage SPO migration APIs to break the integrity of all Microsoft online services that use SPO as storage. Threat actors can spoof new content and tamper with existing content, and inject custom code to perform XSS attacks. This, in turn, enables elevation-of-privilege attacks to all Microsoft Online services, including Azure Active Directory. And all this as a regular user.

Presenters:

• Dr. Nestori Syynimaa - Senior Principal Security Researcher at Secureworks   as Dr Nestori Syynimaa
  Dr Nestori Syynimaa is one of the leading Azure AD / M365 experts in the world and the developer of the AADInternals toolkit. He has worked with Microsoft cloud services for over a decade and has been MCT since 2013, MVP since 2020, and awarded Microsoft Most Valuable Security Researcher for 2022. Currently, Dr Syynimaa works as a Senior Principal Security Researcher for Secureworks Counter Threat Unit. Before moving to his current position, Dr Syynimaa worked as a CIO, consultant, trainer, researcher, and university lecturer for almost 20 years. Dr Syynimaa has spoken in many international scientific and professional conferences, including IEEE TrustCom, Black Hat (USA, Europe, and Asia), Def Con, and RSA Conference.

Links:

• https://forum.defcon.org/node/246102

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Project MVP - Hacking and Protecting SharePoint
• DEF CON 29 (2021) / Don't Dare to Exploit - An Attack Surface Tour of SharePoint Server
• DerbyCon 3.0 All in the Family (2013) / TMI: How to attack SharePoint servers and tools to make it easier