Shocking to see that many EDR's (corporate AV's) can easily be tricked! They should know better than to simply trust certain signed processes. Instead, they should be switching to a zero trust architecture, I'm sure they can figure this out without causing to many false positives. And about OneDrive, I would stay away from this crappy app, it somehow ruined my normal system folder structure, so now I got two documents, downloads and desktop folders, it's garbage! Never had this with Google Drive, and then I'm talking about the desktop apps. https://www.theregister.com/2023/08/10/microsoft_onedrive/
https://www.techradar.com/pro/micro...se-a-serious-security-threat-to-your-business So basically the target device would first have to be compromised for this OneDrive attack to be successfully pulled off. This is really nothing special and no different than any compromised device, where an attacker has freedom to do whatever they wish.
One thing that drove me crazy with OneDrive is that it made it so hard to backup my Documents. Microsoft wants you to store all your Docs in the Microsoft Cloud. I finally found the hidden setting that enabled me to simply Drag and Drop my Docs onto my other hard drives. My Docs still get stored automatically in the Cloud, against my wishes, but now my other hard drives have priority. Acadia
I think the point that they try to make is that AV's shouldn't blindly trust all known processes on the system. Let's say you download some app that seems to be perfectly legit, so your AV won't alert about it. But once you launch this app, it will inject code into OneDrive and make it encrypt files, now that's a serious problem. A truly smart behavior blocker would notice that something is seriously wrong.
OneDrive is crap, best thing to do is to disable it ASAP. I still don't understand how it messed up Windows Explorer on my system.
