"Uncovering the Latest SharePoint Vulnerabilities: How Hackers Can Stealthily Steal Files"

Researchers have discovered two techniques that allow attackers to bypass audit logs or generate less severe entries when downloading files from Microsoft SharePoint, potentially enabling silent data exfiltration. The first technique takes advantage of SharePoint's "Open in App" feature to avoid generating a "FileDownloaded" event in audit logs, while the second involves spoofing the User-Agent string to make file downloads appear as data syncing events. Microsoft has added these flaws to a patch backlog for future fixing, so SharePoint admins should monitor for unusual access activity and device introductions while awaiting patches.