In a significant cybersecurity development, Obsidian, a renowned cybersecurity firm, has uncovered the first-ever successful ransomware attack targeting SharePoint Online, a component of Microsoft 365

This attack marks a departure from the traditional compromised endpoint route, as the hackers stealthily exploited a Microsoft Global SaaS admin account.

While the identity of the victim remains undisclosed, Obsidian’s investigation points to the notorious Omega group as the potential perpetrator behind the attack.

This article delves into the details of the SaaS ransomware attack and provides insights into detection opportunities and recommendations for enhancing SaaS controls.

The Intricate Attack

The attackers managed to gain access to multiple SharePoint sites by creating a new Active Directory (AD) user named Omega.

This user was endowed with elevated privileges including:

-Global Administrator

-SharePoint Administrator

-Exchange Administrator

-Teams Administrator

-Site collection administrator capabilities

Within a mere two hours, the attackers systematically eliminated over 220 administrators, leaving behind a trail of authority voids.

Exploiting Sensitive Information

Simultaneously, the threat actor uploaded thousands of “PREVENT-LEAKAGE.txt” files after exfiltrating numerous files.

These files served a dual purpose:

-first, to notify the victim about the theft

-second, to establish a communication channel for potential negotiations regarding payment to prevent the disclosure of sensitive information.

The attackers’ interest in this capability is evident from their investment of time to construct automation specifically for this attack.

By focusing on data theft rather than encryption, the attackers mitigate the risks of failed decryption attempts and streamline the overall administration process.

The Infamous Omega Group

Obsidian’s investigation strongly suggests the involvement of the Omega group, known for its utilization of double extortion tactics.

In July 2022, the group gained public attention following a report highlighting their extortion methods.

If the Omega group is indeed responsible, the victim’s identity could potentially be disclosed on data leak sites if they fail to comply with the ransom demands.

Detection Opportunities

To strengthen defenses against SaaS ransomware attacks, organizations should be vigilant and leverage key detection opportunities.

These include setting up alerts for service accounts,

-new AD users

-new AD groups

-SharePoint files

-User-agent activities

By promptly identifying suspicious activities through these alerts, organizations can mitigate the impact of attacks and respond effectively.

Enhancing SaaS Controls

SaaS solutions hold vast amounts of regulated, confidential, and sensitive information critical to businesses.

To manage the associated risks effectively, it is crucial to enhance SaaS controls. This involves mitigating excessive privileges, revoking unauthorized integrations, and addressing high-risk factors.

By implementing these measures, companies can protect their valuable data and prevent potential ransomware attacks.


The SaaS ransomware attack leveraging SharePoint Online highlights the evolving tactics employed by cybercriminals. Organizations must remain vigilant and prioritize robust cybersecurity measures to safeguard their sensitive information. By adopting enhanced SaaS controls, detecting suspicious activities, and promptly responding to potential threats, businesses can stay one step ahead of malicious actors seeking to exploit SaaS platforms.