Weaponizing OneDrive: How to Turn a Trusted Sync Agent into a Stealthy Ransomware Engine

TLDR: Researchers have discovered that Microsoft OneDrive can be weaponized to perform unauthorized file encryption, effectively creating a living-off-the-land ransomware attack. By leveraging directory junctions and extracting authentication tokens from local logs, an attacker can manipulate files in the cloud without executing any malicious code on the victim's endpoint. This technique bypasses major EDR solutions and disables security features like Controlled Folder Access, demonstrating that even trusted, pre-installed applications can be turned against the systems they are meant to protect.

Security researchers often focus on finding the next zero-day in a browser or a kernel exploit, but the most dangerous attacks are frequently those that abuse the tools we already trust. The recent research presented at Black Hat 2023 regarding Microsoft OneDrive is a perfect example of this. Instead of dropping a custom binary that triggers every heuristic engine in the stack, an attacker can simply recruit the OneDrive sync client to do the heavy lifting. This is not a theoretical exploit; it is a practical, stealthy way to achieve full data encryption while remaining invisible to most modern security stacks.

The Mechanics of the DoubleDrive Attack

The core of this technique relies on the fact that OneDrive is designed to synchronize files between a local directory and the cloud. By default, it is installed on almost every Windows machine, making it a ubiquitous target. The attack flow is elegant in its simplicity. First, an attacker gains initial access to a target machine. Rather than deploying a traditional ransomware payload, the attacker creates directory junctions using the Windows mklink command.

By creating these junctions inside the OneDrive sync folder, an attacker can trick the OneDrive client into synchronizing arbitrary local directories that it would not normally touch. Once the target files are being synced, the attacker needs to control the cloud-side operations. This is where the ODL (OneDrive Log) parsing comes into play. The OneDrive client stores sensitive authentication tokens in local log files. An attacker with user-level permissions can read these logs, extract the active session token, and use it to interact with the OneDrive API.

With the token in hand, the attacker can perform remote file operations. They can upload, modify, or delete files in the victim's cloud storage. Because these requests originate from the legitimate OneDrive API, they are rarely flagged as malicious. The attacker essentially turns the victim's own cloud storage into a command-and-control server for their ransomware operations.

Bypassing EDR and Security Controls

One of the most striking aspects of this research is how effectively it bypasses endpoint security. Most EDR solutions, including Microsoft Defender for Endpoint, CrowdStrike Falcon, and Palo Alto Cortex XDR, rely on detecting malicious process behavior. Because the actual encryption and file manipulation are performed by the legitimate OneDrive.exe process, there is no malicious process for the EDR to kill.

Furthermore, the attack can disable security features like Controlled Folder Access, which is designed to prevent unauthorized applications from modifying files in protected directories. Since OneDrive is a trusted application, it is often whitelisted by default. By replacing the Microsoft.SharePoint.exe executable in the OneDrive installation directory with a malicious one, an attacker can execute their own code with the same privileges as the OneDrive process. This allows them to perform actions like deleting shadow copies using vssadmin, a common tactic for preventing file recovery.

Real-World Implications for Pentesters

For those of us conducting red team engagements, this research changes the game. If you find yourself on a machine with OneDrive installed, you have a powerful, built-in tool for data exfiltration and manipulation. You no longer need to worry about your custom malware being caught by static signatures or behavioral analysis. You are simply using the operating system's own features to move data.

During an engagement, the first step is to check for the presence of OneDrive and verify the user's sync status. If the user is logged in, you can proceed to extract the tokens from the ODL files. The DoubleDrive tool released by the researchers provides a ready-to-use framework for automating this process. It handles the token extraction, the creation of junctions, and the subsequent file manipulation.

Defensive Considerations

Defending against this type of attack is difficult because it abuses legitimate functionality. The best approach is to implement strict application control policies that prevent unauthorized modifications to the installation directories of trusted software. Additionally, monitoring for the creation of unusual directory junctions or unexpected API calls to cloud storage services can provide early warning signs of an ongoing attack. Blue teams should also be aware that the presence of OneDrive.exe performing mass file deletions or modifications is a significant indicator of compromise, regardless of the process's reputation.

Security is not just about patching vulnerabilities; it is about understanding how the systems we rely on can be subverted. This research serves as a stark reminder that trust is a vulnerability in itself. As we continue to move more data to the cloud, we must ensure that the agents managing that data are as secure as the data they protect. The next time you are on an engagement, look closely at the tools that are already running. You might find that the most effective weapon in your arsenal is already installed on the target machine.