Skip to content
.ca
sign in
5 minhigh

From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA

Threat actors exploited an exposed Spring Boot Actuator endpoint and plaintext credentials found in a spreadsheet to authenticate via the legacy ROPC flow. This allowed them to bypass MFA, obtain a Microsoft Graph access token, and exfiltrate sensitive data from SharePoint Online without deploying malware.

Conf:highAnalyzed:2026-03-18reports

Authors: Ryan Soliven, Jovit Samaniego, Reine Roque

ROPCData ExfiltrationSpring Boot ActuatorSharePointCredential Access

Source:Trend Micro

Key Takeaways

  • Exposed Spring Boot Actuator endpoints can leak sensitive configuration data and application secrets.
  • Plaintext credentials stored in spreadsheets enabled attackers to impersonate an internal Azure AD application.
  • The OAuth2 ROPC flow allows password-only sign-ins, effectively bypassing MFA controls.
  • Attackers successfully exfiltrated SharePoint data using legitimate API access without deploying malware.

Affected Systems

  • Spring Boot
  • Azure AD / Entra ID
  • SharePoint Online
  • Microsoft Graph

Attack Chain

The attacker first accessed an unauthenticated Spring Boot Actuator endpoint to discover SharePoint service account details and configuration paths. They then obtained plaintext client secrets for an internal Azure AD application from an unsecured spreadsheet. Using these combined credentials, the attacker authenticated via the legacy ROPC flow, bypassing MFA to obtain a Microsoft Graph access token. Finally, they used this token to enumerate and exfiltrate sensitive files from SharePoint Online.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but outlines behavioral patterns visible in Azure AD sign-in logs, web server access logs, and SharePoint audit logs.

Detection Engineering Assessment

EDR Visibility: None — The entire attack chain occurred in cloud environments (Azure AD, SharePoint Online) and public-facing web applications, not on traditional endpoints where EDR is deployed. Network Visibility: Medium — Network logs would capture the inbound requests to the Actuator endpoints, but the ROPC and SharePoint API traffic is TLS-encrypted and handled directly by Microsoft cloud infrastructure. Detection Difficulty: Moderate — Detecting this requires correlating web server access logs (Actuator exposure) with Azure AD sign-in logs (ROPC usage) and SharePoint audit logs (mass downloads), which can be challenging without a centralized SIEM or exposure management platform.

Required Log Sources

  • Azure AD Sign-in Logs
  • SharePoint Audit Logs
  • Web Server Access Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for successful or failed authentications in Azure AD sign-in logs using the ROPC protocol, especially from unusual IP addresses.Azure AD Sign-in LogsCredential AccessLow to Medium (depending on legacy app usage in the environment)
Identify external IP addresses accessing sensitive Spring Boot Actuator endpoints like /env or /configprops.Web Server Access LogsReconnaissanceLow (these endpoints should not be publicly accessible)
Monitor SharePoint audit logs for rapid, automated file downloads (COLLABORATION_ACTIVITY) using non-browser User-Agents like curl or python-requests.SharePoint/O365 Audit LogsCollectionMedium (some automated backup or administrative scripts may use these agents)

Control Gaps

  • Publicly exposed Actuator endpoints
  • Lack of MFA enforcement / ROPC enabled
  • Plaintext secrets stored in spreadsheets

Key Behavioral Indicators

  • ROPC authentication protocol usage in Azure AD
  • HTTP 200 responses for /api/actuator/* endpoints
  • SharePoint FileDownloaded events with curl or python-requests User-Agents

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Disable public access to Spring Boot Actuator endpoints using IP allowlists or reverse proxies.
  • Rotate all credentials exposed in the application.yml and the unsecured spreadsheet.

Infrastructure Hardening

  • Disable ROPC authentication in Azure AD/Entra ID.
  • Enforce Conditional Access policies and MFA for all cloud applications.

User Protection

  • Audit environments for plaintext credentials stored in spreadsheets, shared drives, or documentation.

Security Awareness

  • Train developers on secure secret management practices and the risks of informal credential documentation.

MITRE ATT&CK Mapping

  • T1592.004 - Gather Victim Host Information: Client Configurations
  • T1552.001 - Unsecured Credentials: Credentials In Files
  • T1078.004 - Valid Accounts: Cloud Accounts
  • T1530 - Data from Cloud Storage Object

Additional IOCs

  • Urls:
    • /api/actuator/env - Exposed Spring Boot Actuator endpoint used for reconnaissance
    • /api/actuator/configprops - Exposed Spring Boot Actuator endpoint revealing SharePoint configuration
  • File Paths:
    • application.yml - Configuration file containing masked SharePoint service account password
  • Other:
    • curl/8.14.1 - User-Agent used by the attacker for reconnaissance and exfiltration
    • python-requests/2.32.3 - User-Agent used by the attacker for SharePoint data exfiltration
    • Mail.sql - Exfiltrated file from SharePoint
    • ENS_Plan_2025.xlsx - Exfiltrated file from SharePoint
    • DBLOCK.sql - Exfiltrated file from SharePoint
    • ENS Imperva.xlsx - Exfiltrated file from SharePoint
    • backup_log.xlsx - Exfiltrated file from SharePoint
    • Credential.txt - Exfiltrated file from SharePoint
    • ROBO_Credential.txt - Exfiltrated file from SharePoint
    • VPN_Exception.xlsx - Exfiltrated file from SharePoint

Related