Adversaries may be exfiltrating malicious files through SharePoint, OneDrive, or Teams by leveraging known malware families to compromise organizational data. SOC teams should proactively hunt for this behavior to identify potential data exfiltration attempts and mitigate the risk of sensitive information being stolen.
KQL Query
CloudAppEvents
| where ActionType == 'FileMalwareDetected' and UserAgent =~ 'MS Scanner ATP'
| project ObjectName, UserAgent, RawinfoVirusInfo = RawEventData.VirusInfo
| summarize count() by tostring(RawinfoVirusInfo) | sort by count_
| render piechart
// | render columnchart // Uncomment to change the graph type
id: afd90d9e-f8f5-41c7-823a-616907392503
name: File Malware by Top Malware Families (Safe Attachments)
description: |
This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on Defender for Office 365 detections (detonations)
description-detailed: |
This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on Defender for Office 365 detections (detonations)
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == 'FileMalwareDetected' and UserAgent =~ 'MS Scanner ATP'
| project ObjectName, UserAgent, RawinfoVirusInfo = RawEventData.VirusInfo
| summarize count() by tostring(RawinfoVirusInfo) | sort by count_
| render piechart
// | render columnchart // Uncomment to change the graph type
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator uploads a known safe malware sample (e.g., a test file from Microsoft’s malware sandbox) to test the detection rule.
Filter/Exclusion: Exclude files uploaded by users with the “System Administrator” role or files with the UserPrincipalName matching admin accounts.
Scenario: A scheduled job runs a script that generates temporary files (e.g., tempfile.exe) for processing, which gets flagged as malware.
Filter/Exclusion: Exclude files with the FileHash matching known temporary files or files created by specific scheduled tasks (e.g., ScheduledTaskName = "DailyReportGeneration").
Scenario: A user downloads a legitimate software update (e.g., from Microsoft Update or a trusted vendor) that is falsely identified as a known malware family.
Filter/Exclusion: Exclude files with the FileHash matching known legitimate software or files downloaded from trusted domains (e.g., Domain = "update.microsoft.com").
Scenario: A security tool (e.g., CrowdStrike Falcon or Microsoft Defender for Endpoint) performs a scan and generates a false positive detection of a benign file.
Filter/Exclusion: Exclude files detected by specific security tools or files with a FileHash matching known false positives from those tools.
Scenario: A user runs a legitimate diagnostic tool (e.g., Microsoft System File Checker or Windows Defender Offline scan) which contains a file flagged by the rule.
Filter/Exclusion: Exclude files with the FileHash matching known diagnostic tools or files associated with system maintenance tasks (e.g., ProcessName = "sfc.exe" or ProcessName = "WindowsDefenderOfflineScan.exe").