Adversaries may be using known malware families to exfiltrate data or establish persistence through SharePoint, OneDrive, and Teams. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data compromise in their Azure Sentinel environment.
KQL Query
CloudAppEvents
| where ActionType == 'FileMalwareDetected' and isempty(UserAgent)
| project ObjectName, UserAgent, RawinfoVirusInfo = RawEventData.VirusInfo
| summarize count() by tostring(RawinfoVirusInfo) | sort by count_
| render piechart
// | render columnchart // Uncomment to change the graph type
id: db287ba5-344a-4e43-a94f-26e686203598
name: File Malware by Top Malware Families (Anti Virus)
description: |
This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on built-in SharePoint AV detections
description-detailed: |
This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on built-in SharePoint AV detections
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == 'FileMalwareDetected' and isempty(UserAgent)
| project ObjectName, UserAgent, RawinfoVirusInfo = RawEventData.VirusInfo
| summarize count() by tostring(RawinfoVirusInfo) | sort by count_
| render piechart
// | render columnchart // Uncomment to change the graph type
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled backup of SharePoint files using Microsoft Data Protection Manager (DPM).
Filter/Exclusion: Exclude files with the source path containing Backup or DPM in the file system path.
Scenario: A user is downloading a legitimate Microsoft Office document (e.g., .docx) from OneDrive, which is then scanned by the Microsoft Defender for Office 365 and flagged as a false positive.
Filter/Exclusion: Exclude files with the file extension .docx, .xlsx, or .pptx when detected by Microsoft Defender ATP.
Scenario: A PowerShell script is being executed by a system administrator to automate report generation on Teams files. The script is flagged as malware due to its execution pattern.
Filter/Exclusion: Exclude files with the file name containing PowerShell or PS1 in the file system path, or files executed via powershell.exe.
Scenario: A scheduled job runs to clean up temporary files in the SharePoint document library, and the cleanup process triggers a malware detection due to the presence of temporary file names.
Filter/Exclusion: Exclude files with the file name containing temp, tmp, or ~ in the file system path.
Scenario: A third-party application (e.g., Microsoft Power Automate) is uploading files to Teams as part of an automated workflow, and the file content is misclassified as malware.
Filter/Exclusion: Exclude files uploaded by the Power Automate service or any file with a source IP matching the Power Automate service IP range.