SharePoint to SecretPoint: Microsoft Auto-Sync Exposes Secrets at Scale

Read original article here

When Entro Labs published the 2025 H1 NHI & Secrets Risk research, one finding stood out: 1 out of every 5 exposed secrets in the enterprise originated from SharePoint. As our security research team dug deeper, the cause wasn’t a sophisticated exploit but something far more ordinary. A default OneDrive auto-sync feature that silently moves local files into SharePoint, turning desktops and personal folders into cloud credential repositories. In this blog, we’ll share Entro Labs’ research and findings behind this hidden yet severe exposure.

SharePoint and the Goldmine of Secrets: How OneDrive Auto-Sync Works

At its core, SharePoint actually isn’t the culprit, it stems from the OneDrive for Business Known Folder Move (KFM) feature. Designed for convenience, KFM automatically syncs key user folders like “Desktop” and “Documents” into OneDrive, which in enterprise deployments stores the data in SharePoint Online document libraries,

From a productivity standpoint, this means end users never lose their files and can access them from any device. But from a security standpoint, it creates a silent goldmine of sensitive data. Anything saved locally, be it an .env file, a config .json, or even a casual (and most infamous) “passwords.xlsx” may automatically find its way to the cloud without alerting the file owners.

Once on SharePoint, those synced files inherit the platform’s sharing model: visible to the owner, sometimes to a team, but always accessible to administrators (can set themselves as Site Collection Administrator and then read synced files). This turns what started as a personal local backup into a tenant-wide exposure.

This also means that when a Microsoft 365 user with OneDrive sync is compromised, attackers don’t just gain access to their email and apps, they can also access the user’s local files that were synced from their endpoint.

SecretPoint: Auto-Sync Is a Default Risk

And this isn’t only an enterprise subscription. On Windows 10/11, OneDrive sync client is enabled by default, even for personal accounts (unmanaged devices, not “OneDrive for Business”). As soon as a user signs in for the first time, OneDrive starts backing up in the background the Documents, Desktop, and Pictures folders to the cloud. As a user, there’s a good chance that the first time you may notice this behavior will be when you ultimately hit Microsoft’s free storage limit of 5 GB.

That’s because the opt-out is presented only once during the initial setup users usually tend to skip through (syncing is framed as a “recommended step”) so many users end up with their files backed up by default without realizing it.

From Local Folders to Leaked Secrets: Entro’s Research

The Entro Labs team analyzed every SharePoint-related secret that surfaced across dozens of enterprise customer environments. Auto-sync of course, isn’t the only way plaintext secrets get stored in SharePoint. The patterns found were remarkably consistent, and they split into two main categories:

1. Locally-saved files that sync via OneDrive for Business backup (Desktop, Documents, Pictures and others).
2. Files users actively share through Microsoft 365 collaboration apps. For example, files shared as attachments in messages of a Teams channel go to the channel’s SharePoint library.

When these files finally land in SharePoint, they stop being personal or team-only resources and suddenly inherit broad, cloud-level visibility.

Where the Secrets Actually Hide 

Our analysis shows that certain file types on SharePoint are especially prone to contain unencrypted secrets:

• Spreadsheets are the #1 danger: More than 50% of SharePoint-hosted secrets came from .xlsx workbooks, “tracking” sheets, logs, or developer scratchpads where secrets and passwords were pasted for convenience.
• Plain text is alive and well: .txt, .json, and .pem files collectively contributed 18% of “leaks”. These quick-and-dirty notes, config files, and certificate bundles sync by default straight into the cloud.
• Scripts and docs weren’t innocent either: PowerShell scripts .ps1, SQL dumps .sql, Word docs .docx, and even OneNote files .one all contained credentials, proof that almost any file type can become a “secrets vault.”

Unlike source code or CI/CD pipelines, user-generated Office, text and binary files move with almost no friction. They’re shared, edited, and reshared by many hands. Once synced to SharePoint, those files inherit broad, tenant-wide exposure. A single M365 admin or over-privileged compromised account can search across the entire environment and pull secrets instantly.

As we’ll see shortly, the data above don’t just reflect careless use of file formats, it shows everyday developer habits and “normal” coding practices. Nevertheless, the blast radius is enormous and yet most security programs don’t even look at these files. 

Step by Step: When Your “Local” .env Isn’t That Local Anymore

For years, security guidance has encouraged developers to move secrets out of code and into environment variables stored locally, .env files, config fragments, or credential notes that are never supposed to leave the engineer’s workstation. On its own, that’s a step up from hardcoding secrets in source.

But paired with OneDrive auto-sync, this practice backfires. On Windows OS, those supposedly “local-only” environment files are often backed up automatically into OneDrive, and in enterprise deployments those can be accessed via SharePoint Online. What was once a best practice becomes an exposure vector. The “keys to the kingdom” meant to stay confined to a laptop can suddenly be searchable across the entire Microsoft 365 tenant, creating a perfect storm for silent, large-scale leaks.

To see how this plays out in practice, let’s follow a simple demonstration of a developer storing a secret on their Desktop, and see how it quietly travels to SharePoint.

A developer saves a Slack bot token into a .env file on their Desktop. To them, this feels safe and local, the file isn’t in source control and it’s only meant to live on their machine for testing purposes and local commits.

The file now sits on the Desktop, holding a Slack bot token in plaintext. To the user, it looks like any other harmless local file stored only on their machine and available “on this device.”

With the OneDrive sync client running by default, the .env file is automatically backed up into the user’s work OneDrive folder. Without any deliberate action from the user. From this point on, if the user’s Microsoft account is compromised so is the secret and the Slack workspace it has access to.

From the Microsoft 365 admin console, the developer’s profile, and by extension their synced SharePoint site is fully accessible. 

Within 2 clicks, an admin can assign themselves as a Site Collection Administrator for the user’s personal SharePoint site. This grants them direct access to every file synced from that developer’s Desktop.

With elevated access, they can open the .env file directly and view the Slack bot token in plaintext – a secret the developer believed never left their laptop.

In real-world breaches though, attackers don’t click through menus, they have scripts, automation, and built-in Microsoft Graph API calls to sweep entire tenants. What we did manually with one file, attackers script across thousands of users in minutes

From Best Practice to Breach Vector: Auto-Sync’s Dire Consequences

If your M365 admin had been breached (once you’re aware of it) you may face many security-incident-response dilemmas. But secrets stored on SharePoint are exactly the material lateral movement nightmares are made of. The SecretPoint auto-sync reshapes the attack surface in ways most security teams today do not anticipate.

SharePoint as a Prime Target

It is not secret (pun intended) that SharePoint is one of the most targeted enterprise resources. It sits at the crossroads of identity, documents, and collaboration. Once data lives in it, it inherits all of SharePoint’s strengths and all of its risks. 

Just in July 2025, attackers exploited the “ToolShell” zero-day (CVE-2025-53770) in on-premises SharePoint servers. Hundreds of organizations, including U.S. government agencies, were hit with ransomware attacks launched through compromised SharePoint servers. While this campaign targeted on-prem, not SharePoint Online, with countless others from the past decade it paints a bigger picture. Adversaries see SharePoint as one of the most valuable enterprise resources to compromise.

Auto-Sync Blurs Personal-Work Boundaries

OneDrive auto-sync can blur the line between personal and corporate file storage. In May 2025, Microsoft introduced a new OneDrive Sync client behavior for Windows: “enables the OneDrive Sync client on Windows to detect known Microsoft personal accounts associated with business devices… If the user accepts the prompt, their personal files will begin syncing alongside their work files. No action is required to enable this behavior by default”. This can result in sensitive corporate files that can be pulled into a user’s personal OneDrive, or personal data may end up bundled with work-related files.

Phishing Expands the Blast Radius

Beyond exploits and default features, SharePoint and OneDrive remain constant phishing targets. Proofpoint has highlighted Microsoft as the most abused brand in phishing. With stolen credentials as the #1 initial attack vector in breaches (Verizon DBIR 2025), the risk escalates. Recent campaigns show how threat actors increasingly abuse look-alike SharePoint domains, spoofed file-share emails, and even fake multifactor prompts to harvest accounts. A single compromised user or admin can look for secrets with simple queries like “password,” “AWS,” or “token” and instantly surface secrets synced from endpoints.The indexing turns a single phish into a data-mining operation. From there, attackers can automate discovery with regex patterns and open-source secrets scanners to find API keys, tokens, and other secrets hidden within synced files.

Breaking the Sync-to-Secrets Chain: Practical Recommendations

Auto-sync doesn’t just store documents. It amplifies the blast radius of every compromised identity. What looks like a harmless backup can turn into tenant-wide exposure in minutes. Here are a few steps security teams can take today to break the sync-to-secrets chain and prevent SharePoint from becoming SecretPoint: 

• Build awareness across teams: On newer Windows operating systems, OneDrive auto-sync moves Desktop and Documents into SharePoint by default. Developers (also contractors and third parties) need to know their “local” secrets in these folders may not stay local. 
• Cancel KFM sync if you don’t need it (users): If your organization’s policy allows, disable or restrict OneDrive auto-sync for Desktop and Documents – you can always pick other folders beyond the default ones to go to the cloud. Removing the feature where it isn’t needed is the simplest way to cut exposure
• Enforce policy controls (IT admins): Use Group Policy or Intune to disable auto-sync globally where it isn’t required. Policies like DisableKnownFolderMove, DisablePersonalSync, or DisableNewAccountDetection let you prevent Desktop and Documents from syncing to SharePoint by default.
• Scan SharePoint for secrets (security): Research and deploy a solution that can scan SharePoint sites for exposed secrets. Most scanners stop at code and CI/CD, missing collaboration. Entro’s platform integrates directly into your SharePoint environment to detect, alert, and help remediate secrets automatically.

For deeper insights into how secrets sprawl across enterprises and more data behind the SharePoint findings, download the full Entro Labs NHI & Secrets Risk Report, free.