A new report from Entro Labs reveals that one in five exposed secrets in large organizations can be traced back to SharePoint.
Rather than a flaw in SharePoint itself, the real culprit is a simple convenience feature: OneDrive’s default auto-sync.
When OneDrive silently backs up key folders like Desktop and Documents to SharePoint Online, it can turn personal files into a corporate treasure trove of secrets.
How OneDrive Auto-Sync Exposes Secrets
OneDrive for Business includes a Known Folder Move (KFM) option that automatically redirects important folders into OneDrive and, by extension, SharePoint document libraries.
This feature is enabled by default in many enterprise setups. Anything saved in those folders even temporary files like configuration JSONs, .env files, or spreadsheet “scratch pads” is copied to the cloud without alerting users.
Once in SharePoint, the files follow the platform’s sharing rules: they remain visible to their owner, may be shared with a team, and are always accessible to administrators. A misplaced password file or API key suddenly becomes available tenant-wide.
Entro Labs analyzed leaked secrets across dozens of enterprise environments and found that certain file types dominate.
Over half of the exposed secrets came from Excel workbooks, where users often paste confidential tokens and passwords for convenience.
Plain-text files such as .txt, .json, and .pem made up another 18 percent. Even scripts (.ps1), SQL dumps (.sql), and Word documents (.docx) contained credentials.
These user-generated files travel effortlessly from local drives into SharePoint, where a single admin or a compromised service account can retrieve them in minutes.
OneDrive’s sync feature may improve productivity, but it also greatly expands the blast radius of any compromised account. Security teams can take several steps today to reduce risk:
First, raise awareness among employees, contractors, and third-party developers. Many assume their secrets stored on their Desktop or Documents folder never leave their machines.
Second, disable Known Folder Move where it is not needed. Administrators can restrict or turn off auto-sync for Desktop and Documents via Group Policy or Microsoft Intune settings like DisableKnownFolderMove and DisablePersonalSync.
Third, deploy secrets-scanning tools that go beyond code repositories and CI/CD pipelines to search through SharePoint libraries for exposed credentials.
Entro’s own platform can integrate directly with SharePoint environments, alerting teams to secrets before they cause a breach.
By understanding how OneDrive’s default auto-sync can backfire, organizations can prevent a routine backup from turning into a tenant-wide exposure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
