M365 OneDrive/SharePoint Excessive File Downloads

  1[metadata]
  2creation_date = "2025/02/19"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/02/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an excessive number of files are downloaded from OneDrive or SharePoint by an authorized user or application in a short period of time. This may indicate a potential data exfiltration event, especially if the downloads are performed using OAuth authentication which could suggest an OAuth phishing attack such as Device Code Authentication phishing.
 11"""
 12false_positives = [
 13    """
 14    Legitimate users may download files from OneDrive using OAuth authentication. Ensure that the downloads are
 15    authorized and the user is known before taking action.
 16    """,
 17]
 18from = "now-9m"
 19interval = "8m"
 20language = "esql"
 21license = "Elastic License v2"
 22name = "M365 OneDrive/SharePoint Excessive File Downloads"
 23note = """## Triage and Analysis
 24
 25### Investigating M365 OneDrive/SharePoint Excessive File Downloads
 26
 27This rule detects an excessive number of files downloaded from OneDrive using OAuth authentication. Threat actors may use OAuth phishing attacks, such as **Device Code Authentication phishing**, to obtain valid access tokens and perform unauthorized data exfiltration. This method allows adversaries to bypass traditional authentication mechanisms, making it a stealthy and effective technique.
 28
 29This rule leverages ESQL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested.
 30
 31#### Possible Investigation Steps
 32
 33- Review the user ID field to identify the user who performed the downloads. Check if this user typically downloads large amounts of data from OneDrive.
 34- Correlate user ID with Entra Sign-In logs to verify the authentication method used and determine if it was expected for this user.
 35- Review the authentication method used. If OAuth authentication was used, investigate whether it was expected for this user.
 36- Identify the client application used for authentication. Determine if it is a legitimate enterprise-approved app or an unauthorized third-party application.
 37- Check the number of unique files downloaded. If a user downloads a high volume of unique files in a short period, it may indicate data exfiltration.
 38- Analyze the file types and directories accessed to determine if sensitive or confidential data was involved.
 39- Investigate the source IP address and geolocation of the download activity. If it originates from an unusual or anonymized location, further scrutiny is needed.
 40- Review other recent activities from the same user, such as file access, sharing, or permission changes, that may indicate further compromise.
 41- Check for signs of session persistence using OAuth. If Azure sign-in logs are correlated where `authentication_protocol` or `originalTransferMethod` field shows `deviceCode`, the session was established through device code authentication.
 42- Look for multiple authentication attempts from different devices or locations within a short timeframe, which could indicate unauthorized access.
 43- Investigate if other OAuth-related anomalies exist, such as consent grants for unfamiliar applications or unexpected refresh token activity.
 44- Review the `file.directory` value from the original documents to identify the specific folders or paths where the files were downloaded.
 45- Examine if the downloaded files are from Sharepoint or OneDrive by checking the `event.code` field.
 46- Review the incoming token type to determine how authentication occurred. If the `token.id` field is populated, it indicates that OAuth authentication was used, which may suggest an OAuth phishing attack.
 47
 48### False Positive Analysis
 49
 50- Verify if the user regularly downloads large batches of files as part of their job function.
 51- Determine if the downloads were triggered by an authorized automated process, such as a data backup or synchronization tool.
 52- Confirm if the detected OAuth application is approved for enterprise use and aligns with expected usage patterns.
 53
 54### Response and Remediation
 55
 56- If unauthorized activity is confirmed, revoke the OAuth token used and terminate active OneDrive sessions.
 57- Reset the affected user's password and require reauthentication to prevent continued unauthorized access.
 58- Restrict OAuth app permissions and enforce conditional access policies to limit authentication to trusted devices and applications.
 59- Monitor for additional signs of compromise, such as unusual email forwarding rules, external sharing of OneDrive files, or privilege escalation attempts.
 60- Educate users on OAuth phishing risks and encourage the use of **Microsoft Defender for Office 365 Safe Links** to mitigate credential-based attacks.
 61- Enable continuous monitoring for OAuth authentication anomalies using **Microsoft Entra ID sign-in logs** and security tools.
 62"""
 63references = [
 64    "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",
 65    "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",
 66]
 67risk_score = 47
 68rule_id = "0e524fa6-eed3-11ef-82b4-f661ea17fbce"
 69severity = "medium"
 70tags = [
 71    "Domain: Cloud",
 72    "Domain: SaaS",
 73    "Domain: Storage",
 74    "Data Source: Microsoft 365",
 75    "Data Source: Microsoft 365 Audit Logs",
 76    "Data Source: SharePoint",
 77    "Data Source: OneDrive",
 78    "Use Case: Threat Detection",
 79    "Tactic: Collection",
 80    "Tactic: Exfiltration",
 81    "Resources: Investigation Guide",
 82]
 83timestamp_override = "event.ingested"
 84type = "esql"
 85
 86query = '''
 87from logs-o365.audit-* metadata _id, _version, _index
 88| where
 89    event.dataset == "o365.audit" and
 90    event.provider == "OneDrive" and
 91    event.action == "FileDownloaded" and
 92    event.outcome == "success"
 93    and (user.id is not null and o365.audit.ApplicationId is not null)
 94    and o365.audit.ApplicationId not in (
 95        "08e18876-6177-487e-b8b5-cf950c1e598c", // SharePoint Online Web Client Extensibility
 96        "fb8d773d-7ef8-4ec0-a117-179f88add510", // Enterprise Copilot Platform
 97        "d3590ed6-52b3-4102-aeff-aad2292ab01c", // Microsoft Office
 98        "7ab7862c-4c57-491e-8a45-d52a7e023983" // App Service
 99    )
100| eval session.id = coalesce(o365.audit.AppAccessContext.AADSessionId, session.id, null)
101| where session.id is not null
102| eval Esql.time_window_date_trunc = date_trunc(3 minutes, @timestamp)
103| stats
104    Esql.file_directory_values = values(file.directory),
105    Esql.file_extension_values = values(file.extension),
106    Esql.application_name_values = values(application.name),
107    Esql.file_name_count_distinct = count_distinct(file.name),
108    Esql.total_file_size_mb = round((mv_sum(values(file.size))) / 1048576.0, 2),
109    Esql.o365_audit_Site_values = values(o365.audit.Site),
110    Esql.o365_audit_SiteUrl_values = values(o365.audit.SiteUrl),
111    Esql.user_domain_values = values(user.domain),
112    Esql.token_id_values = values(token.id),
113    Esql.event_code_values = values(event.code),
114    Esql.event_provider_values = values(event.provider),
115    Esql.auth_type_values = values(o365.audit.AuthenticationType),
116    Esql.is_managed_device_values = values(o365.audit.IsManagedDevice),
117    Esql.platform_values = values(o365.audit.Platform),
118    Esql.user_agent_values = values(user_agent.name),
119    Esql.source_asn_org_values = values(source.as.organization.name),
120    Esql.geo_country_values = values(source.geo.country_name),
121    Esql.event_count = count(*)
122    by
123    Esql.time_window_date_trunc,
124    user.id,
125    session.id,
126    source.ip,
127    o365.audit.ApplicationId
128| where Esql.file_name_count_distinct >= 25
129| keep
130    Esql.*,
131    user.id,
132    source.ip,
133    o365.audit.ApplicationId,
134    session.id
135'''
136
137[[rule.threat]]
138framework = "MITRE ATT&CK"
139
140[[rule.threat.technique]]
141id = "T1530"
142name = "Data from Cloud Storage"
143reference = "https://attack.mitre.org/techniques/T1530/"
144
145[rule.threat.tactic]
146id = "TA0009"
147name = "Collection"
148reference = "https://attack.mitre.org/tactics/TA0009/"
149
150[[rule.threat]]
151framework = "MITRE ATT&CK"
152
153[rule.threat.tactic]
154id = "TA0010"
155name = "Exfiltration"
156reference = "https://attack.mitre.org/tactics/TA0010/"