Adversaries may leverage SharePoint, OneDrive, or Teams to store and execute malware, exploiting these cloud workloads as persistent or command-and-control channels. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data exfiltration tactics hidden within legitimate cloud storage environments.
KQL Query
CloudAppEvents
| where ActionType == 'FileMalwareDetected'
| extend Appwithteams = iff(Application =~ 'Microsoft SharePoint Online',strcat(Application,' / Teams Files'),Application)
| extend Appwithteams = trim_start('Microsoft',Appwithteams) | summarize count() by Appwithteams
| sort by count_ desc
| render piechart
// | render columnchart // Uncomment to change the graph type
id: 094a9823-e053-4b36-8678-cd70f048db91
name: Malware detections by Workload Type
description: |
This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the workload in which they are stored
description-detailed: |
This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the workload in which they are stored
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == 'FileMalwareDetected'
| extend Appwithteams = iff(Application =~ 'Microsoft SharePoint Online',strcat(Application,' / Teams Files'),Application)
| extend Appwithteams = trim_start('Microsoft',Appwithteams) | summarize count() by Appwithteams
| sort by count_ desc
| render piechart
// | render columnchart // Uncomment to change the graph type
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job Scanning SharePoint Files
Description: A scheduled backup job runs and scans SharePoint files for integrity checks, triggering malware detection alerts.
Filter/Exclusion: Exclude processes associated with backup tools like Veeam Backup & Replication or Commvault by checking the ProcessName field for known backup executables.
Scenario: Admin Task for File Integrity Monitoring on OneDrive
Description: An admin task is configured to monitor OneDrive for file changes, which may include scanning files for malware.
Filter/Exclusion: Exclude processes related to Microsoft Endpoint Detection and Response (EDR) or Microsoft Defender for Office 365 by checking the ProcessName or User field for admin accounts or known EDR processes.
Scenario: Automated Compliance Scan on Teams Files
Description: A compliance tool runs an automated scan on Teams files to ensure they meet regulatory standards, which may include malware scanning.
Filter/Exclusion: Exclude processes associated with Microsoft Purview Compliance Manager or Microsoft 365 Compliance Center by checking the ProcessName or User field for compliance-related services.
Scenario: User-Initiated File Scan Using Microsoft Defender
Description: A user manually scans a file stored in SharePoint or OneDrive using Microsoft Defender, which can generate false positives.
Filter/Exclusion: Exclude scans initiated by the Microsoft Defender process (MsDefender.exe) or use the ProcessName field to filter out known security tool processes.
Scenario: Third-Party Sync Tool Scanning Files in Teams
Description: A third-party sync tool (e.g., Syncthing, Resilio Sync) scans files stored in Teams for synchronization, which may trigger malware detection.
Filter/Exclusion: Exclude