Skip to main content

The Behind the Scenes Scope of SharePoint News

I recently had someone ask if there was any way to disable the ability to send a SharePoint news article to an external party and after some clarification it became apparently that even with external sharing completely disabled in the tenant you can, in fact, send a preview of the article to any email address. After some research it became apparent that there is no ability to turn off this functionality which caused some concern of potential data leakage. For reference we are talking about the SharePoint news article 'Send to' functionality shown below. 

While a credential is needed to access the full article, any email sent will include an article preview. The article preview doesn't show anything too worrisome as it is just the title, the first few lines of text, and an image but one area that caught my eye was the ability to add in the optional message. After some testing it does not appear that there is any length limit to the text that can be put in the summary, it got me thinking what security controls can you put in place to monitor/control these emails in case someone decided to put in confidential text or even worse a base 64 encoded file. 

I'll start with the good news. If you are using Exchange Online these emails will respect any DLP policies that you have in place and be routed through the senders email so any email controls that are in place will be respected. In the example below the article named 'Socials' was picked up for a DLP match on a U.S. Social Security Number. This match includes all text in the email including the article title and body as well as any text entered by the user.


Now onto the bad news, if the user does not have an Exchange Online mailbox the emails are sent from 'no-reply@sharepointnonline.com' and the email is sent without respecting any of the rules configured for your tenant. 



All in all the ability to send an article summary email with some text that bypasses DLP for non-exchange online users likely presents a low risk for data leakage as there are easier ways to exfiltrate data it was a fun exercise to explore how these emails are routed behind the scenes. But why stop there, is there any way beyond data leakage that this could be malicious? This lead me to explore the News Link functionality to see what happens when these links are sent via email. 

Using News Links and News Digest

When sharing a News Link article using the method above the redirect still requires access to the underlying SharePoint site so again not too much of a risk for bad actors to leverage this functionality in any nefarious ways. However, there is one more piece of News functionality left to explore, the email news digest functionality. https://support.microsoft.com/en-us/office/create-and-send-a-news-digest-42efc3c6-605f-4a9a-85d5-1f9ff46019bf
For those unfamiliar with the functionality the new digest allows you to select which news articles you want to send. In the example below the article 'Password Reset Required' is a News link that was selected to be sent as part of this digest. 
As expected for a user that does not have an Exchange Online mailbox the email is sent from 'no-reply@sharepointonline.com' but unlike when sending a News link by itself, which requires access to the SharePoint site, in the News Digest the redirect link brings you directly to the URL that was specified. This leaves the potential for someone (in any tenant) to send users an email disguised as coming from SharePoint online that contains a malicious link. Additionally, outside of hovering over and checking the destination URLs there is nothing in the emails that specify what tenant the email came from. Furthermore a well-crafted article can appear to be from a specific department and other common business areas/system accounts in an attempt to fool your users. 
While the above digest does not contain anything near an actual article you'd likely see in SharePoint, there is nothing stopping someone from disguising malicious links under actual news topics such as 'Open Enrollment' or 'Our Response to Solarwinds' with a link to a fake login page or other nefarious site. 

So you'll likely thinking what can you do, and as mentioned the data loss risk is fairly low when looking at the grand scheme of things; there is some concerns about being able to send the News Digest from 'no-reply@sharepointonline.com' which may mimic functionality that you're using today. 
  • Potential for Exploit : Receiving digest emails with malicious links from 'no-reply@sharepointonline.com' can be an area of concern as many organizations may instruct users to trust emails from 'no-reply@sharepointonline.com' due to the usage of SharePoint online.  
            While the likelihood of this exploit is low there are a few things that should be done to protect your organization: 
  • Medium DLP Risk: News emails sent from a user without Exchange Online are sent from a 'no-reply@sharepointonline.com' email and do not respect any DLP policies
  • Low DLP Risk: News emails sent from a user with Exchange Online are routed through the users mailbox and respects any DLP rules that have been set for the organization. 









Comments

Popular posts from this blog

PowerApps Delegation Warning

Update Aug 15 2019 - Microsoft has updated PowerApps to allow for some complex SharePoint data delegation, this will hopefully resolve most issues you were seeing when working with SharePoint data:  https://powerapps.microsoft.com/en-us/blog/sharepoint-delegation-improvements/ If you've tried to use the Filter, LookUp or Search actions in PowerApps you have seen the yellow warning error that shows a 'delegation warning' and you might have even ignored it because your PowerApp was working fine in testing. However once you get into larger data sets your PowerApp will have some issues so in this blog I will attempt to explain what the delegation warning is and how you can fix your PowerApp. Delegation So what even is Delegation in PowerApps? When doing any sort of data manipulation for an app, PowerApps will try to push the processing of that data to the source system instead of doing all of the manipulation in the app. This is done to increase the efficiency of you

O365 Weekly Digest - 12/30/2019

Every week I'll be posting a quick summary of O365 updates included in the admin weekly digest email that you can sign up for via the admin Message Center:  https://admin.microsoft.com/AdminPortal/Home#/MessageCenter  - these emails include items posted to the message center over the last week and come out every Monday. Updates: Kaizala is getting and updated to its custom actions for Consent Flow ( Roadmap ID: 59705 ) Outlook for Android is getting a new discover office files feature ( Roadmap ID: 58733 ) Admin Updates: What's New Management can now be seen by the Office Apps admin role ( Roadmap ID: 60009 ) Dynamics 365 is deprecated some cipher suites in May New Kaizala Admin Role( Roadmap ID: 59706 ) Email Text Dec 27 Updated Feature: Consent flow for custom Kaizala Action Major Update:  Announcement started We’re updating Kaizala custom Actions to require user consent.We'll begin rolling this out to customers in late January 2020.The rollou