A default auto-sync feature in Microsoft OneDrive automatically moves local files to SharePoint, creating a significant security risk by exposing sensitive data and secrets on a large scale.

Research from Entro Security highlights the severity of the issue, revealing that one in every five exposed secrets within an enterprise originates from files synced to SharePoint.

This unintended exposure stems from a OneDrive for Business feature called Known Folder Move (KFM).

Designed for convenience, KFM automatically syncs important user folders such as “Desktop” and “Documents” to OneDrive, which, in enterprise settings, stores the data in SharePoint Online document libraries.

While this ensures users can access their files from any device, it also creates a repository of sensitive information accessible to a broader audience than intended.

From Local Files To Cloud Exposure

The core of the problem is that files saved locally, including configuration files like .env or .json, and even spreadsheets named passwords.xlsx, are silently uploaded to the cloud.

Once on SharePoint, these files are no longer just personal documents; they become subject to the platform’s sharing and access policies.

This means they are always accessible to administrators, who can grant themselves permissions to read these synced files. Consequently, what begins as a local backup becomes a potential tenant-wide vulnerability.

This risk is not limited to enterprise accounts. On Windows 10 and 11, the OneDrive sync client is enabled by default for personal accounts as well.

Users often skip through the initial setup, where the option to opt out is presented as a “recommended step,” leading to their files being backed up without their full awareness.

Entro Security’s research into enterprise environments identified common patterns of secret exposure in SharePoint.

The research found that specific file types are particularly likely to contain unencrypted secrets:

• Spreadsheets (.xlsx): Over 50% of secrets found on SharePoint were located in workbooks used for tracking, logs, or as developer scratchpads.
  
• Plain Text Files: Files such as .txt, .json, and .pem accounted for 18% of the exposed secrets. These often contain configuration details or certificate bundles.
  
• Scripts and Documents: PowerShell scripts, SQL dumps, and Word documents also frequently contained credentials, demonstrating that almost any file can become a security risk when automatically synced.

“Entro Labs research found that nearly one in five exposed secrets came from SharePoint – not due to a CVE, but because of Microsoft’s everyday auto-sync feature”.

That’s what makes it so dangerous: even developers who follow best practices end up with secrets synced into the cloud, where attackers can easily find them.” Peleg Cabra, director of product marketing at Entro Security

This auto-sync functionality undermines a standard security best practice for developers, who store secrets in local .env files to avoid hardcoding them in source code.

With KFM enabled, these supposedly local-only files are synced to SharePoint, making them discoverable across the entire Microsoft 365 tenant.

The silent nature of this auto-sync feature significantly expands the potential damage of a security breach.

If an attacker compromises a single Microsoft 365 user account, they not only gain access to emails and applications but also to all the local files synced from the user’s computer.

For a compromised administrator account, the risk is even greater, as they can systematically search the entire SharePoint environment for sensitive data.

Attackers can automate searches for keywords like “password,” “API key,” or “token” to locate and exfiltrate secrets quickly.

To mitigate this risk, security experts recommend several actions. Organizations should raise awareness among employees, especially developers, about how their local files may be exposed.

Administrators can use Group Policy or Intune to disable the auto-sync feature where it is not necessary. 

security teams should implement solutions to continuously scan SharePoint environments for exposed secrets, detecting and remedying them before they can be exploited.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Microsoft OneDrive Auto-Sync Exposes Enterprise Secrets in SharePoint Online appeared first on Cyber Security News.

Google has announced the full general availability of client-side encryption (CSE) for Google Sheets. This significant upgrade gives organizations direct control over encryption keys and enhances data confidentiality within Google Workspace.

This move extends robust security features to spreadsheets, ensuring that sensitive data remains unreadable to Google, and addresses critical compliance and data portability needs for enterprise customers.

The update brings a comprehensive suite of features to encrypted spreadsheets. Users can now import, export, and decrypt client-side encrypted files directly within Sheets.

A significant highlight is the introduction of full interoperability with Microsoft Office formats; users can work with encrypted Excel files using Office editing mode and perform client-side conversions of Google Sheets to the Excel format.

This ensures seamless workflows for organizations that operate in hybrid software environments. Furthermore, the integration with Google Vault and Takeout allows for the secure export of encrypted files, supporting eDiscovery and data portability mandates without compromising security.

This enhancement is a direct response to the growing demand for stricter data governance and compliance in the enterprise sector. By placing encryption keys in the hands of the client, Google empowers organizations to meet rigorous industry standards.

Client-Side Encryption for Google Sheets

With CSE, the content of a file is encrypted in the user’s browser before any data is transmitted or stored in Google’s cloud storage.

This means that neither Google nor any third-party service provider can access the encrypted content, providing an essential layer of protection for financial data, personally identifiable information (PII), and other confidential business intelligence stored in spreadsheets.

For administrators, the feature is enabled by default for organizations that already have client-side encryption configured and can be managed at the organizational unit (OU) level.

Google provides dedicated tools to support these new capabilities, including a data export tool for Vault, a decrypter tool for offline file access, and a converter tool to change exported Google Sheets files into Microsoft Office formats.

For end-users, the experience is designed to be intuitive. They can convert an existing spreadsheet into an encrypted file by simply using the ‘Make a Copy’ option and selecting encryption.

The rollout for this feature began on September 4, 2025, for Rapid Release domains and will commence on September 18, 2025, for Scheduled Release domains, with a gradual release of up to 15 days for full visibility.

This advanced security feature is available to Google Workspace Enterprise Plus, Education Standard, and Plus, and Frontline Plus customers, solidifying Google’s commitment to providing secure, enterprise-grade collaboration tools.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free

The post Google Announces Full Availability of Client-Side Encryption for Google Sheets appeared first on Cyber Security News.