Microsoft are getting better at closing out security gaps in well-known APIs and components of their platform. However, as shown across the different cloud service providers, these interconnected systems almost always have a significant amount of complexity and a significant range of APIs that communicate together in various ways. Exploring these lesser-known APIs from an attacker and defender’s perspective allows us to better understand these complex attack surfaces and further defend cloud environments.

This talk will aim to further expand the rapidly developing field of exploring hidden APIs in Entra/Azure and will focus on the SharePoint APIs being used by the service through the browser client. We’ll explore ways of enumeration that are available through the SharePoint APIs that avoid the direct usage of Microsoft Graph and respectively allow an attacker to evade all known and possible methods of detection. The techniques that will be shown allow an attacker with a foothold in SharePoint to pivot and laterally move throughout an Azure environment, circumventing modern security controls and possibly allowing for the compromise of additional services, aiding an adversary to move towards their objectives. The talk will conclude with an exploration of file sharing security controls in the environment and whether they can be bypassed as well as provide an overview of what actions are available for defensive teams to prevent or detect attempts at using these APIs directly.

Attendees will gain an understanding of:
- Microsoft SharePoint Online internals and differences to SharePoint related Microsoft Graph APIs
- How an attacker with a foothold as a regular business user with access to SharePoint can bypass security controls within a tenant to access sensitive resources
- What a security team can do to prevent and detect usage of these APIs within an organization