<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sensitive-Data - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/sensitive-data/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/sensitive-data/feed.xml" rel="self" type="application/rss+xml"/><item><title>SharePoint Sensitive Term Discovery via O365 Logs</title><link>https://feed.craftedsignal.io/briefs/2024-01-sharepoint-sensitive-term-discovery/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-sharepoint-sensitive-term-discovery/</guid><description>Adversaries may search for sensitive terms within SharePoint to identify valuable data for exfiltration or further compromise, leaving traces in O365 audit logs.</description><content:encoded><![CDATA[<p>While the provided document focuses on a detection rule name within the Elastic detection-rules repository on GitHub, it doesn't directly describe an active threat or campaign. The title &quot;discovery_sharepoint_sensitive_term_search&quot; implies a potential attack vector where malicious actors attempt to locate sensitive information stored within a SharePoint environment. The adversary would likely leverage search functionalities, leaving audit trails within Microsoft 365 (O365) logs. Successful identification of sensitive data could lead to data exfiltration, privilege escalation, or further targeted attacks. Defenders need to monitor for unusual search activity and access patterns within SharePoint to detect potential reconnaissance attempts. This highlights the importance of robust logging and monitoring within cloud-based collaboration platforms like SharePoint.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a compromised account or through an insider threat.</li>
<li>The attacker authenticates to the Microsoft 365 environment.</li>
<li>The attacker begins performing searches within SharePoint, targeting potentially sensitive terms (e.g., &quot;password,&quot; &quot;financial,&quot; &quot;confidential&quot;).</li>
<li>SharePoint processes the search queries and returns results based on the attacker's permissions.</li>
<li>Microsoft 365 logs the search activity, including the user, timestamp, and search terms used.</li>
<li>The attacker reviews the search results and identifies documents or sites containing sensitive information.</li>
<li>The attacker accesses and potentially downloads the sensitive documents.</li>
<li>The attacker exfiltrates the data or uses it to further compromise the environment (e.g., privilege escalation).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful discovery of sensitive terms within SharePoint could expose confidential data, intellectual property, or personally identifiable information (PII). The impact could range from reputational damage and financial losses due to regulatory fines to compromised business operations and competitive disadvantage. The number of victims depends on the scope of the targeted SharePoint environment, but even a single successful breach can have significant consequences.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and actively monitor Microsoft 365 Unified Audit Logging to capture SharePoint search activities (Attack Chain step 5).</li>
<li>Deploy the Sigma rule provided to detect suspicious searches for sensitive terms within SharePoint audit logs.</li>
<li>Implement multi-factor authentication (MFA) to mitigate the risk of compromised accounts (Attack Chain step 1).</li>
<li>Review and enforce least privilege access principles for SharePoint to limit the potential impact of a successful breach (Attack Chain step 6).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>sharepoint</category><category>discovery</category><category>sensitive-data</category><category>o365</category></item></channel></rss>