Schedule a Consultation

SharePoint Security

  • March 3, 2025
  • Utility Services

On January 14th, 2025, Microsoft announced that a security vulnerability in their file sharing service, SharePoint, had been discovered. It allowed attackers to upload malicious files that were capable of running scripts on the machine of any user that visited a spoofed SharePoint folder. The issue has since been resolved, however those still hosting a SharePoint server on an old version are still at risk.

Cross-Site Scripting

A compromised Microsoft account could be used to upload malicious files to a SharePoint folder, running scripts from the browser of any user attempted to visit it via a vulnerability known as Cross-Site Scripting. Cross-Site Scripting (XSS) is a common browser-based vulnerability that results from a web program handling user input improperly. It is exploitable in situations where a program accepts input from a user, but does not verify that the input is safe to process. Extreme cases allow users to write code directly in a comment section, video description, blog post, etc. to be executed by the browser of anyone who loads the page.

SharePoint Exploitation

In the case of SharePoint, it was recently discovered that attackers could upload malicious files disguised as folders. These fake folders would be processed by a user’s browser as instructions to run scripts, even going so far as to give the attacker remote access to the target’s desktop and control of their mouse.

In order to do this, an attacker would need to have access to a Microsoft account that is authorized to upload to SharePoint. This does limit risk, however in the case that an account is compromised, they can spread their malicious files with relative ease via legitimate sharing notifications from SharePoint. Because these notifications direct users to legitimate SharePoint links and are sent automatically from a trusted Microsoft address (no-reply@sharepointonline.com), they pass every security check with flying colors. Even those trained to recognize phishing attempts would have no indication that notification was malicious.

Prevention

How can users ensure this doesn’t happen to them?

  • Use Multi-Factor Authentication (MFA).
  • If you believe that an account has been compromised, do not interact with any emails, links, or files that are sent from it.
  • Always ensure that you are using the most recent version of a program.
  • Ensure that your browser only operates with the necessary permissions to lower the severity of an incident should it occur.

 

The discovery of this vulnerability should serve as a reminder of the risks involved with using outdated software. Those who have not applied this SharePoint patch leave themselves exposed to attack.

Related Resources

A photo for the Level 3 NERC Alert post.
Level 3 NERC Alert
May 20, 2025
A photo for the PRC-028 Insights post.
PRC-028 Insights
June 5, 2025
A photo for the NERC 1600 Data Request: Cold Weather post.
NERC 1600 Data Request: Cold Weather
May 12, 2025
A featured image for the Insight on PRC-029 and PRC-030 post.
Insight on PRC-029 and PRC-030
May 7, 2025
A Utility Services employee looking at a control panel.
RansomHub
May 6, 2025
Stay Compliant and Confident.

Talk with an Expert Today.

divider icon
Contact Us
Schedule a Consultation

We use cookies to improve your experience and analyze traffic on our website. By clicking “Accept” you consent to our use of cookies and tracking. Read our Cookie Policy to learn more.

Ok, I Accept
Cookie Policy