Staying Sneaky in the Office (365)
Christian Philipov
fwd:cloudsec North America 2025 · Day 1 · Track 2 - Crestone
Christian Philipov, a principal security consultant at WithSecure (formerly F-Secure), presented research into lesser-known SharePoint APIs that enable offensive operations while evading Microsoft's improving detection capabilities around **Microsoft Graph**. The talk delivered three practical findings: a SharePoint enumeration technique that avoids Graph API logging, a token exchange mechanism that mints access tokens for various Microsoft resources from within SharePoint, and a pre-authentication download bypass that circumvents both anonymous sharing restrictions and IP-based network access controls. All three techniques exploit legitimate SharePoint functionality that generates audit events indistinguishable from normal user activity, making detection extraordinarily difficult.
AI review
Three practically useful offensive techniques against SharePoint that bypass Graph API monitoring and circumvent security controls organizations think are protecting them. The pre-authentication download bypass is the standout -- a pre-signed URL that ignores sharing restrictions AND IP-based network controls, generated automatically on every file access. This is the kind of research that immediately goes into the toolkit.