Adversaries may be exfiltrating or deploying malware through SharePoint, OneDrive, or Teams by leveraging file-based malware detection patterns. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data exfiltration tactics early in the attack lifecycle.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
CloudAppEvents
| where Timestamp >= TimeStart
| where ActionType == 'FileMalwareDetected'
| make-series Count = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
id: 71cdf9cb-39b7-40fe-a81f-2c125efc7d07
name: File Malware Detection Trend
description: |
This query visualises total files located on SharePoint, OneDrive and Teams with Malware detections over time summarizing the data daily.
description-detailed: |
This query visualises total files located on SharePoint, OneDrive and Teams with Malware detections over time summarizing the data daily.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
CloudAppEvents
| where Timestamp >= TimeStart
| where ActionType == 'FileMalwareDetected'
| make-series Count = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job Scanning Files
Description: A scheduled backup job (e.g., Veeam, Commvault) scans files on SharePoint or OneDrive as part of its routine process, which may trigger malware detection due to file scanning behavior.
Filter/Exclusion: Exclude files accessed by backup tools like Veeam Backup & Replication or Commvault using the process.name field or user.account field with known backup service accounts.
Scenario: Admin Task for File Cleanup or Migration
Description: An administrator uses a tool like Microsoft Purge or PowerShell scripts to clean up or migrate files, which may be flagged as suspicious due to bulk file operations.
Filter/Exclusion: Exclude files accessed by admin accounts or processes with names like PowerShell.exe or Microsoft Purge using the process.name or user.account field.
Scenario: Automated Compliance Scan Using Microsoft Purge
Description: The Microsoft Purge tool is used to remove outdated files from SharePoint or OneDrive, which may be flagged as malware due to the nature of file deletion.
Filter/Exclusion: Exclude files accessed by Microsoft Purge using the process.name field or by checking the event_id or event_type associated with the purge operation.
Scenario: File Syncing Between OneDrive and SharePoint
Description: A file sync job (e.g., OneDrive sync client) synchronizes files between OneDrive and SharePoint, which may trigger malware detection due to the volume of file transfers.
Filter/Exclusion: Exclude files accessed by the OneDrive sync client using the process.name field (e.g., OneDrive.exe) or by checking the user.account field for known sync user accounts.
**Scenario: Third