Skip to main content

The Behind the Scenes Scope of SharePoint News

I recently had someone ask if there was any way to disable the ability to send a SharePoint news article to an external party and after some clarification it became apparently that even with external sharing completely disabled in the tenant you can, in fact, send a preview of the article to any email address. After some research it became apparent that there is no ability to turn off this functionality which caused some concern of potential data leakage. For reference we are talking about the SharePoint news article 'Send to' functionality shown below. 

While a credential is needed to access the full article, any email sent will include an article preview. The article preview doesn't show anything too worrisome as it is just the title, the first few lines of text, and an image but one area that caught my eye was the ability to add in the optional message. After some testing it does not appear that there is any length limit to the text that can be put in the summary, it got me thinking what security controls can you put in place to monitor/control these emails in case someone decided to put in confidential text or even worse a base 64 encoded file. 

I'll start with the good news. If you are using Exchange Online these emails will respect any DLP policies that you have in place and be routed through the senders email so any email controls that are in place will be respected. In the example below the article named 'Socials' was picked up for a DLP match on a U.S. Social Security Number. This match includes all text in the email including the article title and body as well as any text entered by the user.


Now onto the bad news, if the user does not have an Exchange Online mailbox the emails are sent from 'no-reply@sharepointnonline.com' and the email is sent without respecting any of the rules configured for your tenant. 



All in all the ability to send an article summary email with some text that bypasses DLP for non-exchange online users likely presents a low risk for data leakage as there are easier ways to exfiltrate data it was a fun exercise to explore how these emails are routed behind the scenes. But why stop there, is there any way beyond data leakage that this could be malicious? This lead me to explore the News Link functionality to see what happens when these links are sent via email. 

Using News Links and News Digest

When sharing a News Link article using the method above the redirect still requires access to the underlying SharePoint site so again not too much of a risk for bad actors to leverage this functionality in any nefarious ways. However, there is one more piece of News functionality left to explore, the email news digest functionality. https://support.microsoft.com/en-us/office/create-and-send-a-news-digest-42efc3c6-605f-4a9a-85d5-1f9ff46019bf
For those unfamiliar with the functionality the new digest allows you to select which news articles you want to send. In the example below the article 'Password Reset Required' is a News link that was selected to be sent as part of this digest. 
As expected for a user that does not have an Exchange Online mailbox the email is sent from 'no-reply@sharepointonline.com' but unlike when sending a News link by itself, which requires access to the SharePoint site, in the News Digest the redirect link brings you directly to the URL that was specified. This leaves the potential for someone (in any tenant) to send users an email disguised as coming from SharePoint online that contains a malicious link. Additionally, outside of hovering over and checking the destination URLs there is nothing in the emails that specify what tenant the email came from. Furthermore a well-crafted article can appear to be from a specific department and other common business areas/system accounts in an attempt to fool your users. 
While the above digest does not contain anything near an actual article you'd likely see in SharePoint, there is nothing stopping someone from disguising malicious links under actual news topics such as 'Open Enrollment' or 'Our Response to Solarwinds' with a link to a fake login page or other nefarious site. 

So you'll likely thinking what can you do, and as mentioned the data loss risk is fairly low when looking at the grand scheme of things; there is some concerns about being able to send the News Digest from 'no-reply@sharepointonline.com' which may mimic functionality that you're using today. 
  • Potential for Exploit : Receiving digest emails with malicious links from 'no-reply@sharepointonline.com' can be an area of concern as many organizations may instruct users to trust emails from 'no-reply@sharepointonline.com' due to the usage of SharePoint online.  
            While the likelihood of this exploit is low there are a few things that should be done to protect your organization: 
  • Medium DLP Risk: News emails sent from a user without Exchange Online are sent from a 'no-reply@sharepointonline.com' email and do not respect any DLP policies
  • Low DLP Risk: News emails sent from a user with Exchange Online are routed through the users mailbox and respects any DLP rules that have been set for the organization. 









Comments

Popular posts from this blog

PowerApps Delegation Warning

Update Aug 15 2019 - Microsoft has updated PowerApps to allow for some complex SharePoint data delegation, this will hopefully resolve most issues you were seeing when working with SharePoint data:  https://powerapps.microsoft.com/en-us/blog/sharepoint-delegation-improvements/ If you've tried to use the Filter, LookUp or Search actions in PowerApps you have seen the yellow warning error that shows a 'delegation warning' and you might have even ignored it because your PowerApp was working fine in testing. However once you get into larger data sets your PowerApp will have some issues so in this blog I will attempt to explain what the delegation warning is and how you can fix your PowerApp. Delegation So what even is Delegation in PowerApps? When doing any sort of data manipulation for an app, PowerApps will try to push the processing of that data to the source system instead of doing all of the manipulation in the app. This is done to increase the efficiency of you

O365 Weekly Digest - 11/25/2019

Every week I'll be posting a quick summary of O365 updates included in the admin weekly digest email that you can sign up for via the admin Message Center:  https://admin.microsoft.com/AdminPortal/Home#/MessageCenter  - these emails include items posted to the message center over the last week and come out every Monday. Updates: Excel is getting a new Power BI notification to get users to use Power BI to analyze excel data SharePoint home sites are rolling out now through January to Target Release tenants ( Roadmap ID: 26842 ) Outlook for iOS is getting suggested replies ( Roadmap ID: 54806 ) Microsoft Teams now has a Linux client ( Roadmap ID: 56219 ) Outlook for Windows is getting a new Search ( Roadmap ID: 53775 ) Microsoft Teams is getting a new location for New Chat, Recent, and Contacts tabs. ( Roadmap ID: 58033 ) Admin Updates: Service Health dashboard's email notifications are rolling out now through March ( Roadmap ID: 24231 ) iPadOS conditional

How to use Microsoft's Training Email Templates

As you may be aware you have the ability to toggle on or off the ability for Microsoft to send communications to your users about content they are licensed for; but did you know you can actually use those same email templates to send communications to select user sin your organization? Navigating to the Templates Hidden away as a link in the Microsoft communication to users setting there is a link to user training content where you will be direct to: https://admin.microsoft.com/AdminPortal/Home#/emailtemplates  To get there, from the Admin center navigate to Settings and in services select 'Microsoft communication to users' and from the panel select 'user training content' under 'Want more control over the content and distribution' header. Email Templates After navigating to the page you'll have the option to select 1 of 6 training topics: Microsoft Office 365 New Office 365 Training OneDrive for Business Microsoft Office Apps Outlook any