This case study details a security incident where a misconfigured Spring Boot Actuator endpoint led to unauthorized data exfiltration from SharePoint Online. The attack began with the discovery of exposed /env and /configprops endpoints, which revealed sensitive service account information and internal application configurations. By combining these details with plaintext secrets discovered in a spreadsheet, the threat actor was able to move from reconnaissance to full account compromise.
The attackers utilized the OAuth2 Resource Owner Password Credentials (ROPC) flow to authenticate, effectively bypassing Multi-Factor Authentication (MFA). This legacy authentication method allowed them to programmatically request Microsoft Graph access tokens and interact directly with SharePoint APIs. The incident highlights the critical danger of legacy authentication protocols and the importance of hardening application configurations to prevent credential harvesting and silent data exfiltration.
Top comments (0)