Proofpoint researchers have reported finding a way that attackers could use a Microsoft 365 loophole to launch ransomware attacks. The method involves using compromised SharePoint Online or OneDrive accounts to reduce the (user-configurable) setting for the number or saved versions in SharePoint Online or OneDrive.

Attackers can then encrypt files in those drives so that they are unrecoverable, have no backups, and no decryption key. Attackers could then demand a ransom to restore/recover the original files. The protection advice includes making sure that detection of file configuration changes for Office 365 accounts is switched on, implementing cloud security and threat intelligence, and implementing data loss prevention technology.