The Behind the Scenes Scope of SharePoint News

I recently had someone ask if there was any way to disable the ability to send a SharePoint news article to an external party and after some clarification it became apparently that even with external sharing completely disabled in the tenant you can, in fact, send a preview of the article to any email address. After some research it became apparent that there is no ability to turn off this functionality which caused some concern of potential data leakage. For reference we are talking about the SharePoint news article 'Send to' functionality shown below. 

While a credential is needed to access the full article, any email sent will include an article preview. The article preview doesn't show anything too worrisome as it is just the title, the first few lines of text, and an image but one area that caught my eye was the ability to add in the optional message. After some testing it does not appear that there is any length limit to the text that can be put in the summary, it got me thinking what security controls can you put in place to monitor/control these emails in case someone decided to put in confidential text or even worse a base 64 encoded file. 

I'll start with the good news. If you are using Exchange Online these emails will respect any DLP policies that you have in place and be routed through the senders email so any email controls that are in place will be respected. In the example below the article named 'Socials' was picked up for a DLP match on a U.S. Social Security Number. This match includes all text in the email including the article title and body as well as any text entered by the user.

Now onto the bad news, if the user does not have an Exchange Online mailbox the emails are sent from 'no-reply@sharepointnonline.com' and the email is sent without respecting any of the rules configured for your tenant. 

All in all the ability to send an article summary email with some text that bypasses DLP for non-exchange online users likely presents a low risk for data leakage as there are easier ways to exfiltrate data it was a fun exercise to explore how these emails are routed behind the scenes. But why stop there, is there any way beyond data leakage that this could be malicious? This lead me to explore the News Link functionality to see what happens when these links are sent via email. 

Using News Links and News Digest

When sharing a News Link article using the method above the redirect still requires access to the underlying SharePoint site so again not too much of a risk for bad actors to leverage this functionality in any nefarious ways. However, there is one more piece of News functionality left to explore, the email news digest functionality. https://support.microsoft.com/en-us/office/create-and-send-a-news-digest-42efc3c6-605f-4a9a-85d5-1f9ff46019bf

For those unfamiliar with the functionality the new digest allows you to select which news articles you want to send. In the example below the article 'Password Reset Required' is a News link that was selected to be sent as part of this digest. 

As expected for a user that does not have an Exchange Online mailbox the email is sent from 'no-reply@sharepointonline.com' but unlike when sending a News link by itself, which requires access to the SharePoint site, in the News Digest the redirect link brings you directly to the URL that was specified. This leaves the potential for someone (in any tenant) to send users an email disguised as coming from SharePoint online that contains a malicious link. Additionally, outside of hovering over and checking the destination URLs there is nothing in the emails that specify what tenant the email came from. Furthermore a well-crafted article can appear to be from a specific department and other common business areas/system accounts in an attempt to fool your users. 

While the above digest does not contain anything near an actual article you'd likely see in SharePoint, there is nothing stopping someone from disguising malicious links under actual news topics such as 'Open Enrollment' or 'Our Response to Solarwinds' with a link to a fake login page or other nefarious site. 

So you'll likely thinking what can you do, and as mentioned the data loss risk is fairly low when looking at the grand scheme of things; there is some concerns about being able to send the News Digest from 'no-reply@sharepointonline.com' which may mimic functionality that you're using today. 

• Potential for Exploit : Receiving digest emails with malicious links from 'no-reply@sharepointonline.com' can be an area of concern as many organizations may instruct users to trust emails from 'no-reply@sharepointonline.com' due to the usage of SharePoint online.  

            While the likelihood of this exploit is low there are a few things that should be done to protect your organization: 

• Properly configured Safe Links and other email/link scanning can prevent your users from accessing these links in emails.
• Ensure a branding login page is set up for your organization with proper communication and training to prevent credential harvesting. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding
  
  
• Medium DLP Risk: News emails sent from a user without Exchange Online are sent from a 'no-reply@sharepointonline.com' email and do not respect any DLP policies
• Low DLP Risk: News emails sent from a user with Exchange Online are routed through the users mailbox and respects any DLP rules that have been set for the organization.