A Trend Micro case study shows a major data exfiltration incident caused by simple misconfigurations and poor credential hygiene, beginning with an exposed Spring Boot Actuator endpoint that revealed a SharePoint service account and host URL. Attackers combined plaintext client secrets from a spreadsheet with the ROPC flow to obtain an Azure AD access token and use valid API calls to exfiltrate files from SharePoint Online. #SpringBootActuator #SharePointOnline #AzureAD #ROPC
Keypoints
- An exposed Spring Boot Actuator (/env and /configprops) revealed a SharePoint service account and host URL.
- Plaintext client IDs and client secrets were stored in a spreadsheet, effectively handing attackers credentials.
- Attackers abused the legacy ROPC flow to obtain an Azure AD access token and bypass MFA protections.
- No malware was used; the threat actor leveraged valid API access to enumerate libraries and download sensitive files.
- Recommendations include restricting Actuator access, auditing for plaintext secrets, disabling ROPC, and enforcing MFA as part of CREM.
Read More: https://securityonline.info/malware-less-heist-spring-boot-actuator-ropc-sharepoint-leak/