NHI Forum
Read full article here: https://entro.security/blog/sharepoint-to-secretpoint-microsoft-auto-sync-risk-exposes-secrets-at-scale/?utm_source=nhimg
When Entro Labs published the 2025 H1 NHI & Secrets Risk Report, one finding jumped out: 1 in 5 exposed enterprise secrets originated from SharePoint.
Our research shows this isn’t the result of a sophisticated exploit. Instead, it stems from a surprisingly ordinary culprit: the default OneDrive auto-sync feature that silently moves local files into SharePoint. This seemingly harmless backup mechanism turns desktops and personal folders into cloud-based credential repositories, dramatically expanding the enterprise attack surface.
How Auto-Sync Works and Why It’s a Risk
At its core, SharePoint isn’t the problem. The exposure comes from Known Folder Move (KFM), a OneDrive for Business feature that automatically syncs local folders like Desktop and Documents into OneDrive, which in enterprise environments maps directly to SharePoint Online document libraries.
From a productivity standpoint, this prevents file loss and enables cross-device access. From a security perspective, it’s a silent disaster:
- Any .env, .json, or passwords.xlsx file on a local machine can be synced into the cloud automatically.
- Once in SharePoint, files inherit tenant-wide visibility models, making them accessible to admins and to attackers if accounts are compromised.
- A single phished Microsoft 365 admin account can search across the tenant with queries like “AWS,” “token,” or “password” and surface synced secrets in minutes.
This is what we call the SecretPoint effect when Microsoft’s convenience defaults quietly convert local developer practices into enterprise-scale exposure.
Where Secrets Actually Hide
Entro’s analysis across dozens of environments showed that secrets exposed via SharePoint cluster around familiar file types:
- Spreadsheets: >50% of exposed secrets came from .xlsx workbooks (tracking sheets, logs, scratchpads).
- Plain text configs: .txt, .json, .pem files accounted for 18% of exposures.
- Scripts & docs: .ps1, .sql, .docx, and .one files all carried credentials.
The key point - unlike code repos, these user-generated files move easily through collaboration tools and inherit tenant-wide indexing once in SharePoint. That means attackers can mine them systematically using Graph API queries or regex-based scanners.
A Step-by-Step Example
- A developer saves a Slack bot token in a .env file on their Desktop.
- OneDrive auto-sync silently backs it up to the user’s SharePoint site.
- A compromised admin account grants itself access to the site.
- Within two clicks (or via API), the .env file — and the Slack bot token — are exposed.
This isn’t hypothetical. Attackers already automate these steps across tenants, turning small exposures into systemic risks.
From Best Practice to Breach Vector
Ironically, security guidance has long encouraged developers to move secrets out of code and into environment variables stored in local .env files. But when auto-sync is enabled by default, that “safer” practice can backfire — secrets meant to stay on a laptop end up discoverable across an entire M365 tenant.
This transforms SharePoint from a collaboration tool into a prime hunting ground for credential theft and lateral movement.
Breaking the Sync-to-Secrets Chain
Here’s how enterprises can reduce risk:
- Educate Teams: Make developers and contractors aware that “local” files may sync by default into SharePoint.
- Disable Auto-Sync Where Possible: Use Group Policy/Intune to enforce DisableKnownFolderMove and related policies.
- Harden Admin Access: Limit who can assign themselves Site Collection Admin privileges.
- Scan SharePoint for Secrets: Extend secrets detection beyond source code into SharePoint libraries. Entro’s platform integrates natively to detect, alert, and remediate.
Final Thoughts
The SecretPoint effect isn’t a single feature bug, it’s the convergence of default convenience settings, developer habits, and NHI sprawl. With attackers increasingly targeting collaboration platforms like SharePoint, ignoring this blind spot is no longer an option.
Secrets sprawl is the new attack surface and SharePoint is at its center.