{
	"id": "1f0b57d4-53a1-4a26-907a-8f947ab6bc24",
	"created_at": "2026-04-06T00:08:56.314403Z",
	"updated_at": "2026-04-10T03:21:01.079893Z",
	"deleted_at": null,
	"sha1_hash": "949ea028db3f9ffb9a8f7a44651a42723d9b90d3",
	"title": "SaaS Ransomware Observed in the Wild for Sharepoint in Microsoft 365 | Obsidian Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 898805,
	"plain_text": "SaaS Ransomware Observed in the Wild for Sharepoint in\r\nMicrosoft 365 | Obsidian Security\r\nBy Emile Antone\r\nPublished: 2023-06-07 · Archived: 2026-04-05 17:19:43 UTC\r\nBackground\r\nObsidian’s Threat Research team has observed a SaaS ransomware attack against a company’s Sharepoint Online\r\n(Microsoft 365) without using a compromised endpoint. Our team and product were leveraged post-compromise\r\nto determine the finer details of the attack.\r\nThis approach is different from what has been observed in the wild, where some companies had their Sharepoint\r\n365 instances ransomed when attackers encrypted files on a compromised user’s machine or a mapped drive and\r\nthen synchronized them to Sharepoint.\r\nIn this blog, we’ll outline the details of the attack and provide detection methodologies and IOCs to assist the\r\nbroader community. Some details have been redacted to protect the privacy of the impacted company.\r\nAttack Details\r\nA Microsoft Global admin service account’s credentials were compromised.\r\nThe compromised service account did not have MFA/2FA enabled and could be leveraged from the public\r\ninternet.\r\nThe service account was accessed from a VPS host provided by VDSinra.ru, with an ip-geolocation that\r\nwas anomalous relative to legitimate, historical access patterns.\r\nThe compromised service account made a new AD user called 0mega.\r\nUserPrincipalName: 0mega@\u003credacted\u003e.com\r\nhttps://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/\r\nPage 1 of 5\n\nDepartment: Contact us \u003chttps://0mega-connect\u003e[.]biz/c/\u003credacted_guid\u003e\r\nStreetAddress: http://\u003credacted\u003e[.]onion/c/\u003credacted_guid\u003e\r\nThe compromised service account granted the 0mega account elevated permissions, including Global\r\nAdministrator, SharePoint Administrator, Exchange Administrator, \u0026 Teams Administrator.\r\nThe compromised service account granted the 0mega account site collection administrator capabilities to\r\nmultiple Sharepoint sites and collections, while also removing existing administrators. Over 200 admin\r\nremoval operations occurred within a 2-hour period.\r\nHundreds of files are exfiltrated by the VPS endpoint by leveraging sppull\r\n(https://www.npmjs.com/package/sppull), a publicly available Node.js module that simplifies the\r\ndownloading of files from SharePoint.\r\nThousands of PREVENT-LEAKAGE.txt files are uploaded to Sharepoint, to draw attention to the data\r\nexfiltration. This activity is automated using got (https://github.com/sindresorhus/got), a publicly available\r\nNode.js library for simplifying HTTP requests\r\nhttps://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/\r\nPage 2 of 5\n\nThe 0mega-connect[.]biz and \u003credacted\u003e.onion websites allow impacted companies to chat with the\r\nransomware operators and negotiate the payment, to avoid having details about the breach or their files\r\npublished online.\r\nObservables (accounts, infrastructure, etc.) suggest the known 0mega operators performed this operation.\r\nDetection Opportunities \u0026 IOCs\r\nNote: The logs for these detection opportunities can be obtained from Office 365 APIs, assuming audit logging is\r\nenabled. Opportunities are labeled as either Generic, meaning the detection could detect multiple adversaries, or\r\nSpecific, indicating the detection is intended to catch this specific ransomware group. It should be noted that\r\nwhile the Specific detections are pretty accurate, modifications could be made by the ransomware group in the\r\nfuture in the same way that C2 infrastructure and malware file attributes can change.\r\nService accounts\r\nGeneric: Alert on logins with an ip-geolocation that is anomalous, e.g., the account is typically\r\nlogged into from a particular country.\r\nGeneric: Alert on logins that suggest impossible travel, e.g., the account was logged into from two\r\ndifferent countries or distant locations in a short timeframe.\r\nGeneric: If the service account is not intended for regular interactive logins or use, alert on any\r\nbehaviors that are not defined in code.\r\nNew AD users\r\nSpecific: alert on any new users with any of the following attributes\r\nUserPrincipalName: 0mega@\u003cyour_company_domain\u003e.com\r\nMailNickname: 0mega\r\nDisplayName: 0mega or Zero Mega\r\nhttps://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/\r\nPage 3 of 5\n\nDepartment: Contact us \u003chttps://0mega-connect\u003e[.]biz/c/\u003credacted_guid\u003e\r\nStreetAddress: http://\u003credacted\u003e[.]onion/c/\u003credacted_guid\u003e\r\nExample log in the below image.\r\nGeneric: Alert on new AD users that are granted multiple administrative privileges, like Global\r\nAdministrator, SharePoint Administrator, Exchange Administrator, \u0026 Teams Administrator.\r\nNew AD groups\r\nSpecific: alert on any new AD groups called _0mega_prevent_leakage.\r\nSharepoint Files\r\nSpecific: alert on any new files named PREVENT-LEAKAGE.txt (e.g., logs that contain\r\n“SourceFileName”:”PREVENT-LEAKAGE.txt”).\r\nGeneric: alert on high volume file uploads or checkin operations with a .txt extension (e.g., logs that\r\ncontain “SourceFileExtension”:”txt”). This alert may be too noisy for some organizations.\r\nhttps://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/\r\nPage 4 of 5\n\nUser-Agent\r\nSpecific: alert on any Microsoft 365 activities from a user-agent of sppull or got\r\n(\u003chttps://github.com/sindresorhus/got\u003e).\r\nConclusion\r\nCompanies pour hundreds of thousands to millions of dollars into SaaS to enable their business, commonly\r\nentrusting regulated, confidential, and otherwise sensitive information to these applications. While meaningful\r\nprogress has been made on endpoint, network, and cloud  threat detection, SaaS threat detection remains an area\r\nthat many companies are still only beginning to consider.\r\nWe have always encouraged organizations to both take steps to protect themselves against threats and\r\ncontinuously monitor for indications of malicious activity.\r\nProactive risk management can include hardening SaaS controls, roping in excessive privileges, and revoking\r\nunsanctioned or high risk integrations. Robust threat response involves the consolidation and analysis of\r\nassociated SaaS audit/activity logs to uncover patterns consistent with a breach, an insider threat, or a\r\ncompromised third-party integration. As a leading SaaS security posture management (SSPM) platform, Obsidian\r\nhelps teams address each of these security considerations across their entire SaaS ecosystem.\r\nSource: https://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft\r\n-365/\r\nhttps://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/"
	],
	"report_names": [
		"saas-ransomware-observed-sharepoint-microsoft-365"
	],
	"threat_actors": [],
	"ts_created_at": 1775434136,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/949ea028db3f9ffb9a8f7a44651a42723d9b90d3.pdf",
		"text": "https://archive.orkl.eu/949ea028db3f9ffb9a8f7a44651a42723d9b90d3.txt",
		"img": "https://archive.orkl.eu/949ea028db3f9ffb9a8f7a44651a42723d9b90d3.jpg"
	}
}