Bypass Record

Valid Accounts × Microsoft OneDrive

A publicly-reported instance of Valid Accounts bypassing Microsoft OneDrive, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft OneDrive

Technique

Valid Accounts

MITRE ATT&CK

T1078

Confidence

High

Severity

High

Status

poc

Disclosed

2023-08-08

Config / version noted

Not stated

Provenance

securityboulevard.com
disclosed 2023-08-10 · original source · via raw
www.safebreach.com
disclosed 2023-08-10 · original source · via raw
securityboulevard.com
disclosed 2023-08-08 · original source · via raw
www.safebreach.com
disclosed 2023-08-08 · original source · via raw

Reported as

evading standard endpoint security detection

Mechanism

After initial access, the attacker steals the victim's OneDrive access token. Using junctions in the local OneDrive sync folder, files outside the sync directory are linked. The attacker then remotely encrypts files in the victim's OneDrive cloud storage, which the native OneDrive client syncs to the local machine, effectively encrypting local files without executing code on the endpoint.

Detection & mitigation

Monitor for anomalous OneDrive token usage, such as access from unusual locations or devices. Detect creation of junction points in OneDrive sync directories and unusual mass file modifications synced from the cloud. Enforce conditional access policies and MFA to protect tokens.

Valid Accounts has also been recorded against

CrowdStrike SK Shieldus SOCFortress Tripwire

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.