Adversary Tactics and Exploitation Paths in SharePoint Online 

In modern Microsoft 365 ecosystems, SharePoint Online is no longer just a file repository. It’s a sprawling attack surface. Its deep Graph API integration, automated workflows, and interconnectivity with Teams, OneDrive, and Power Platform make it an ideal target for lateral movement, data staging, and persistence.

As a red teamer, when you gain access to a Microsoft 365 tenant, SharePoint often becomes the pivot point. Once inside, it’s not just about dumping files, it’s about staying quiet, looking normal, and bleeding data slowly. This post explores a step-by-step attack scenario based on the SharePoint Online Attack Matrix and walks you through actionable red tactics.

Reconnaissance

Before exploiting, attackers profile exposed SharePoint instances. Here’s how:

Enumerate SharePoint Online URLs
Attackers brute-force or discover SharePoint subsite URLs using tools or OSINT. Common paths (/sites/hr, /teams/devops) are guessed, often using wordlists.

Crawl Public Documents via Google Dorking

Public-facing documents can be indexed by search engines. Google Dorks: (GHDB) like site:sharepoint.com filetype:xlsx help extract sensitive info without touching the tenant directly.

Search for Anonymous Sharing Links

Attackers use Graph Search or legacy API calls to identify links that allow “Anyone with the link” access, especially to documents not meant to be public.

Discover Internal Naming Conventions via Metadata

Accessing internal metadata like SPWeb.Title or URL fragments can help identify structure, departments, and naming patterns that are useful for further enumeration.

Abuse Graph Search to Locate Libraries

With even limited Graph permissions (e.g., from a delegated token), an attacker can query /search/query?querytext=’*’ to list site collections and files they shouldn’t know about.

SharePoint Online Exposure Recon

https://raw.githubusercontent.com/guardzcom/security-research-labs/refs/heads/main/SPO_Ext_Recon.ps1

Initial Access

After recon, it’s time to get inside. These are some of the SharePoint-specific paths:

Phishing via SharePoint-Hosted Maldocs

Technique: Attackers upload and share macro-enabled Office documents via SharePoint Online to leverage the trusted domain appearance.

Execution:

• Uploaded a .docm or .xlsm to a SharePoint site.
• Created a sharing link (Anyone with the link) using /sites/portal/:x:/s/….
• Distributed via phishing emails as “HR Policies Update” or “Monthly Report”.
• Once opened, embedded VBA downloads second stage payload.

Notes:

• Uses legitimate Microsoft infrastructure, bypassing many reputation-based defenses.
• Links are visually similar to internal document sharing.

OAuth Token Reuse from Compromised Devices

Technique: Replay access/refresh tokens obtained from browser sessions or local caches.

Execution:

• Tokens extracted from Cookies, localStorage, or filesystem (.IdentityService\msal or Chrome localStorage).

Replay access_token directly via:

Authorization: Bearer eyJ0eXAiOiJKV1Q…

GET https://graph.microsoft.com/v1.0/me/drive

• If refresh_token is also stolen, attackers can generate long-lived sessions.

Notes:

• No credential re-entry required.
• Tokens may bypass MFA if issued initially on a compliant or trusted device.

Guest Account Injection via Invitation Abuse

Technique: Inject attacker-controlled identities into the tenant via Azure AD B2B invite APIs.

Execution:

Invitation is crafted with:

POST /v1.0/invitations

{

  “invitedUserEmailAddress”: “[email protected]”,

  “inviteRedirectUrl”: “https://spo.evil.com”,

  “sendInvitationMessage”: false

}

Accessed the invitationRedeemUrl directly to onboard it as a guest.

Browsed to: https://tenant.sharepoint.com/sites/hr if guest access policies are open.

Notes:

• Attackers gain persistent access with a legitimate Guest object in Entra ID.
• Appears in audit logs as a legitimate invite flow.

4. Consent Phishing with Overprivileged SPFx App

Technique: Trick the user into granting OAuth consent to a malicious SharePoint Framework (SPFx) app with excessive Graph permissions.

Execution:

• Registered an SPFx app in Azure AD with broad scopes (Sites.ReadWrite.All, Files.Read.All, Mail.Read).

Generated consent URL:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=…&scope=…&response_type=code

• Hosted a fake Microsoft login page prompting the user to grant consent.
• Upon success, the attacker used access_token to exfiltrate SharePoint and OneDrive files.

Notes:

• The app appears in Enterprise Applications under the user’s account.
• Attackers retain long-lived (persistent) access, independent of user session.

Replay Session via Legacy Auth in SharePoint Designer

Technique: Exploit legacy authentication endpoints that still support NTLM/basic auth via SharePoint Designer.

Execution:

Probed endpoints such as:

https://tenant.sharepoint.com/_vti_bin/authentication.asmx

• Attempt NTLM relay or password spraying on endpoints like _vti_bin/client.svc/ProcessQuery.
• If accepted, establish a session and abuse SharePoint Designer to modify pages or workflows.

Notes:

• Legacy endpoints do not enforce modern token-based auth.
• Lateral movement is possible through page editing or malicious workflow injection.

Discovery

Once inside, attackers move quietly to map the environment.

Enumerate Site Collections via Graph
Using /sites?search=*, attackers list available site collections and subsites accessible by the current token.

Identify High-Value Libraries
Browsing drive titles and descriptions (/sites/<site-id>/drives) lets attackers prioritize libraries like FinanceDocs, HR_Reviews, or LegalHold.

List Group Memberships with SharePoint Access
Enumerate M365 groups (/groups) to check which groups grant SharePoint access. Cross-reference with /group/{id}/sites to find shared team content.

Dump Sharing Settings Using API
Call /permissions on each library to enumerate who has access (internal users, guests, or “Anyone” links). Useful for privilege escalation or data staging.

Detect Guest Access on Sensitive Sites
Look for external principals ([email protected]) in permission sets. These accounts may have excessive access, acting as low-noise pivots.

Persistence

To maintain access without maintaining sessions, attackers exploit SharePoint-native features.

Create Hidden Pages with Embedded JS Payloads
In classic SharePoint pages, JS can be embedded to act as a beacon or loader when users view a page. Great for user-triggered callbacks.

Persist via Flow Automation Trigger
Attackers create Power Automate flows that react to file changes and trigger exfil actions. Even if their token is revoked, the flow runs server-side.

Add Malicious Guest Account to Private Group
If the attacker can modify group membership, they add a rogue guest to persist without triggering user suspicion.

Upload Disguised Web Parts to Classic Sites
Custom web parts with obfuscated JS or links can be uploaded to legacy sites. These are often overlooked during security reviews.

Register a Malicious SharePoint App
An attacker registers an app that acts on behalf of a user or site, thereby granting API access without the need for continuous interaction.

Lateral Movement

From SharePoint, attackers can pivot across M365 services.

Move via Shared Document Collaboration
By uploading malicious content to shared libraries, attackers trick collaborators into opening payloads, especially if versioning is enabled.

Inject Files into Shared Libraries with Auto-Sync
Office files placed in OneDrive-backed libraries automatically sync to all users. A .docx with embedded macro silently lands on every device.

Use Internal Links to Redirect User Sessions
A manipulated link can redirect users to phishing portals or payloads while retaining the SharePoint look and feel.

Transition to OneDrive Using Same Token
With a Graph token, an attacker can switch context from /sites to /me/drive, gaining access to personal files and downloads.

Abuse Power Automate to Drop Files Cross-Site
A flow in one site can copy malicious files to another, using internal permissions. Great for silent propagation.

Exfiltration

It’s not just what you steal, it’s how stealthy the exit is.

Create Anonymous Share Links and Forward
Files are shared using “Anyone with the link” and forwarded to attacker inboxes or bots. Rarely monitored in real time.

Use Flow Connector to Exfil to Attacker-Controlled Cloud
Power Automate supports HTTP actions and third-party services (Dropbox, Google Drive). Attackers use this to bypass DLP.

Sync Libraries to Local and Remove Sharing Trail
By syncing libraries using the OneDrive sync client, attackers copy the files and delete sharing links to remove evidence.

Export Data Using Batched Graph Calls
Graph API batching (20 requests in one call) is ideal for high-speed, low-noise exfil. It avoids triggering EDR for each request.

Revert File Versions Post-Copy for Stealth
After downloading, attackers revert a file back to an older version, hiding their tampering in the file history.

Command & Control (C2)

Even in a SaaS platform, attackers can communicate.

Embed JS Beacons in Classic SharePoint Pages
A small JS snippet pings a C2 server when a legit user views the page. It has a very low footprint and is hard to trace back to the actor.

Signal via Document Metadata Edits
Attackers modify metadata fields such as Title, ModifiedBy, or Tags to encode C2 commands (like DNS beaconing, but for SharePoint).

Use Flow as a Polling Channel
Flows can poll specific document changes or hidden libraries to receive new commands or files. It’s SaaS-native polling without implants.

Hide C2 Commands in SharePoint List Items
Custom lists (task lists, announcements) can contain encoded commands. If no one looks, it flies under the radar.

Trigger C2 Through New Document Uploads
C2 is initiated when a file with a specific name or tag is uploaded to a watched library. This “dead drop” style of communication works well in locked-down tenants.

Conclusion

The tactics outlined here demonstrate how SharePoint Online, when misconfigured or insufficiently monitored, can become a high-value beachhead for adversaries in Microsoft 365 environments. This comes down to attackers exploiting legitimate services and integrations to persist, exfiltrate data, and evade detection.

Guardz helps MSPs tackle these kinds of threats by tying together activity across identities, devices, cloud, and data. With identity-driven context and automated response, Guardz turns data security incidents from hidden risks into clear, actionable alerts to stop threats before they spread.