SecretPoint: How OneDrive Auto-Sync Turns SharePoint into a Hidden Secrets Vault

Written by Itzik Alvas, Entro Security.

 

One in every five exposed enterprise secrets originated from SharePoint.

It wasn’t the result of a zero-day or a sophisticated exploit. Instead, the exposure traced back to something far more ordinary — a default OneDrive auto-sync feature silently moving local files from user desktops into SharePoint. In this blog, we’ll unpack how this happens, why it matters, and what security teams can do about it.

 

The Silent Sync Problem

The issue doesn’t start with SharePoint itself — it begins with OneDrive for Business’s Known Folder Move (KFM) feature.
 Designed for user convenience, KFM automatically syncs key folders like Desktop and Documents to OneDrive, which, in enterprise environments, stores that data in SharePoint Online document libraries.

From a productivity standpoint, it’s ideal: users never lose their files and can access them from any device.
 From a security standpoint, it’s a silent disaster.

A local .env, config.json, or even the infamous “passwords.xlsx” file can easily end up synced to the cloud without the user ever realizing it. Once there, those files inherit SharePoint’s sharing model — meaning they can be accessed by team members or administrators, and in some cases, by anyone with the right permissions.

If an attacker compromises a Microsoft 365 account with OneDrive sync enabled, they don’t just gain access to email or Teams — they inherit all of that user’s “local” files as well.

 

Default by Design: When Backups Backfire

This risk isn’t limited to enterprise users. On Windows 10 and 11, OneDrive sync is enabled by default, even for personal accounts.

The first time a user signs in, OneDrive begins backing up their Desktop, Documents, and Pictures folders automatically. Most people only notice it once their 5 GB of free storage fills up — long after sensitive files have already been uploaded.

The opt-out prompt appears only once, during setup, and it’s framed as a “recommended step.” Most users click through without thinking. What looks like helpful automation becomes an unintentional security exposure.

 

What We Found

Our researchers analyzed thousands of SharePoint-related secrets across dozens of enterprise environments. While OneDrive auto-sync was the most common culprit, we also found secrets exposed through Microsoft 365 collaboration apps, such as files shared in Teams channels or group libraries.

Once synced or shared, these files lose their “personal” status and inherit cloud-wide visibility.

 

The Most Dangerous File Types

Our analysis revealed some consistent patterns:

• Spreadsheets: Over 50% of exposed secrets came from .xlsx files — logs, trackers, or developer notes casually storing credentials.
• Plain text and configs: .txt, .json, and .pem files accounted for 18% of exposures, often containing API keys, tokens, or private certificates.
• Scripts and documents: PowerShell scripts, SQL dumps, Word documents, and even OneNote files occasionally stored plaintext secrets.

These aren’t malicious uploads — they’re everyday files synced for convenience. Once they reach SharePoint, a single compromised admin account can search for terms like “password,” “AWS,” or “token” and instantly surface sensitive data across the entire tenant.

 

When “Local” Isn’t Local Anymore

Security teams have long encouraged developers to store credentials in environment files rather than hardcoding them into source code. But on Windows, OneDrive auto-sync can quietly upload those same .env files to SharePoint.

A quick demonstration illustrates the point:

1. A developer saves a Slack bot token in a .env file on their Desktop.
2. OneDrive automatically syncs the file to the user’s OneDrive folder.
3. That folder, in turn, syncs to SharePoint Online.
4. Any admin (or attacker with admin privileges) can assign themselves access and read the file — in plaintext.

In real-world breaches, attackers automate this process. What we did manually with one file, they do at scale — harvesting secrets across entire tenants in minutes using Microsoft Graph API scripts.

 

Beyond Misconfiguration: Why This Matters

SharePoint has long been a favorite target for attackers. It sits at the intersection of identity, documents, and collaboration — a goldmine for lateral movement.

Recent campaigns, including the ToolShell zero-day (CVE-2025-53770), underscore the value of these systems. While that specific exploit targeted on-prem SharePoint servers, it highlights a consistent reality: attackers know how central SharePoint is to enterprise operations.

And the risk doesn’t end there. Microsoft’s newer sync behavior for Windows now allows personal Microsoft accounts to automatically connect to business devices, blurring the line between personal and corporate storage even further. Combine that with phishing (still the #1 initial attack vector), and a single compromised account can turn into a full-scale data-mining event.

 

Breaking the Sync-to-Secrets Chain

Convenience features like OneDrive auto-sync are here to stay — but that doesn’t mean organizations are powerless.
 Here’s how to prevent your “local backups” from becoming global exposures:

 

1. Raise awareness across teams.

Developers and users alike need to understand that their Desktop and Documents folders may be syncing to SharePoint by default.

 

2. Disable Known Folder Move where unnecessary.

Users can deselect key folders or redirect backups to non-sensitive directories.

 

3. Use policy controls to enforce protection.

Admins can deploy Group Policy or Intune configurations like DisableKnownFolderMove, DisablePersonalSync, and DisableNewAccountDetection to prevent risky sync behavior.

 

4. Scan SharePoint for secrets continuously.

Traditional secret scanners focus on code repositories and pipelines — not collaboration tools.

Use tools to integrate directly with SharePoint to detect, alert, and remediate exposed secrets automatically, closing this critical visibility gap.

 

Final Thoughts

The line between local and cloud storage has blurred. What used to be a private desktop file can now live, unprotected, across your entire Microsoft 365 tenant.

Auto-sync was built for convenience — but for security teams, it’s a hidden risk multiplier.

By understanding how data moves from endpoints to the cloud, and by monitoring collaboration platforms like SharePoint, organizations can stop secrets from slipping through the cracks — before an attacker finds them.