Misconfigured Spring Boot Actuator and Stolen Credentials Enable SharePoint Exfiltration via MFA Bypass
Attackers exploited a misconfigured Spring Boot Actuator endpoint and plaintext credentials in a spreadsheet to authenticate to SharePoint via the OAuth2 ROPC flow, bypassing MFA and exfiltrating data.
A recent incident detailed by Trend Micro researchers demonstrates how a chain of misconfigurations — an exposed Spring Boot Actuator endpoint, plaintext credentials stored in a spreadsheet, and abuse of the OAuth2 Resource Owner Password Credentials (ROPC) flow — allowed attackers to bypass multi-factor authentication (MFA) and exfiltrate data from SharePoint Online.
The attack began when the threat actor discovered that the target organization's Spring Boot Actuator endpoints were exposed without authentication. The `/env` and `/configprops` endpoints returned HTTP 200 responses, revealing sensitive configuration data. Although the password field was masked, the exposed information included the SharePoint service account username, the SharePoint host URL, and the configuration source file (`application.yml`). This reconnaissance confirmed the existence of a valid account and narrowed the attacker's focus.
In the second phase, investigators found that sensitive secrets for an internal Azure AD application — including the client ID, client secret, and secret ID — were stored in plaintext in a spreadsheet. These credentials, intended for application authentication, could be easily copied or leaked, bypassing any centralized secret management controls. With the client ID and client secret, anyone could impersonate the application and request tokens from Azure AD.
The critical third phase involved abuse of the OAuth2 ROPC flow. Unlike interactive authentication flows that redirect users to a login page and typically trigger MFA, ROPC allows an application to collect the username and password directly and send them to the identity provider. The attacker used the stolen client secret from the spreadsheet along with the SharePoint service account credentials to send an ROPC authentication request to Azure AD. After initial trial-and-error attempts with other applications, the attacker successfully obtained an access token, which was then used to access SharePoint Online and exfiltrate data.
Trend Micro's analysis highlights that the ROPC flow is inherently risky because it bypasses MFA entirely. The identity provider validates only the username and password, returning an access token without any additional verification. This makes stolen credentials far more dangerous when ROPC is enabled. The researchers recommend disabling ROPC where possible, enforcing Conditional Access policies, and applying least-privilege principles to reduce the blast radius.
The incident underscores how simple misconfigurations — an unauthenticated Actuator endpoint and credentials stored in a spreadsheet — can combine to enable a full data compromise. Trend Micro's Cyber Risk Exposure Management (CREM) tool was highlighted as a valuable defense for identifying and correlating such risks. Organizations using Spring Boot are urged to restrict Actuator endpoints, remove secrets from configuration files, and review authentication flows to prevent similar attacks.