research

File Extension Spoofing In Microsoft Sharepoint/OneDrive and Teams

A security vulnerability has been identified within the Office 365 environment, involving file extension spoofing through the use of the Right-to-Left Override (RTLO) character. Additionally, a flaw in the OneDrive protocol handler can enable spear phishers to use OneDrive as a Command and Control (C2) solution. If a user unknowingly executes a file with a spoofed extension, the malicious file can establish a connection to an attacker’s server, enabling unauthorized data exfiltration or further malicious activities.