SharePoint Audit Logs Exploited: New Evasion Techniques Found

Varonis has unveiled two methods through which one can circumvent audit logs or create less significant entries when downloading files from SharePoint.

The first method employs the SharePoint “Open in App” feature, allowing documents to be opened in Word rather than in a web browser. Such an action generates an “Access” event in the audit logs instead of “File Downloaded,” which an administrator might overlook. Particularly hazardous is the fact that the URL obtained through this access method does not expire, enabling unrestricted file downloads.

The second approach involves altering the User-Agent string when requesting file access, making file downloads through the browser or Microsoft Graph API appear as data synchronization events (Microsoft SkyDriveSync), thereby reducing suspicions from security services.
Varonis reported these vulnerabilities to Microsoft in November 2023, and the company has listed them for future resolution, although they were marked as “not requiring immediate correction.”

Varonis advises monitoring for a high level of access activity over a short period and the emergence of new devices from unusual locations, which may indicate unauthorized data extraction. It is also recommended to meticulously review synchronization events for anomalies in frequency and data volumes.

Microsoft has confirmed that SharePoint is functioning as intended, reporting access to files through the audit log. The company recommends utilizing the FileAccessed, FileDownloaded, FileSyncDownloadedFull, and FileSyncDownloadedPartial events for monitoring file access.