M365 OneDrive Excessive File Downloads with OAuth Token

  1[metadata]
  2creation_date = "2025/02/19"
  3integration = ["o365"]
  4maturity = "production"
  5min_stack_comments = "ES|QL in technical preview"
  6min_stack_version = "8.13.0"
  7updated_date = "2025/02/19"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may
 13conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download
 14files from OneDrive.
 15"""
 16false_positives = [
 17    """
 18    Legitimate users may download files from OneDrive using OAuth authentication. Ensure that the downloads are
 19    authorized and the user is known before taking action.
 20    """,
 21]
 22from = "now-9m"
 23language = "esql"
 24license = "Elastic License v2"
 25name = "M365 OneDrive Excessive File Downloads with OAuth Token"
 26note = """## Triage and Analysis
 27
 28### Investigating M365 OneDrive Excessive File Downloads with OAuth Token
 29
 30This rule detects an excessive number of files downloaded from OneDrive using OAuth authentication. Threat actors may use OAuth phishing attacks, such as **Device Code Authentication phishing**, to obtain valid access tokens and perform unauthorized data exfiltration. This method allows adversaries to bypass traditional authentication mechanisms, making it a stealthy and effective technique.
 31
 32This rule leverages ES|QL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested.
 33
 34#### Possible Investigation Steps
 35
 36- Review the `o365.audit.UserId` field to identify the user who performed the downloads. Check if this user typically downloads large amounts of data from OneDrive.
 37- Correlate `o365.audit.UserId` with Entra Sign-In logs to verify the authentication method used and determine if it was expected for this user.
 38- Review the authentication method used. If OAuth authentication was used, investigate whether it was expected for this user.
 39- Identify the client application used for authentication. Determine if it is a legitimate enterprise-approved app or an unauthorized third-party application.
 40- Check the number of unique files downloaded. If a user downloads a high volume of unique files in a short period, it may indicate data exfiltration.
 41- Analyze the file types and directories accessed to determine if sensitive or confidential data was involved.
 42- Investigate the source IP address and geolocation of the download activity. If it originates from an unusual or anonymized location, further scrutiny is needed.
 43- Review other recent activities from the same user, such as file access, sharing, or permission changes, that may indicate further compromise.
 44- Check for signs of session persistence using OAuth. If Azure sign-in logs are correlated where `authentication_protocol` or `originalTransferMethod` field shows `deviceCode`, the session was established through device code authentication.
 45- Look for multiple authentication attempts from different devices or locations within a short timeframe, which could indicate unauthorized access.
 46- Investigate if other OAuth-related anomalies exist, such as consent grants for unfamiliar applications or unexpected refresh token activity.
 47- Review the `file.directory` value from the original documents to identify the specific folders or paths where the files were downloaded.
 48
 49### False Positive Analysis
 50
 51- Verify if the user regularly downloads large batches of files as part of their job function.
 52- Determine if the downloads were triggered by an authorized automated process, such as a data backup or synchronization tool.
 53- Confirm if the detected OAuth application is approved for enterprise use and aligns with expected usage patterns.
 54
 55### Response and Remediation
 56
 57- If unauthorized activity is confirmed, revoke the OAuth token used and terminate active OneDrive sessions.
 58- Reset the affected user's password and require reauthentication to prevent continued unauthorized access.
 59- Restrict OAuth app permissions and enforce conditional access policies to limit authentication to trusted devices and applications.
 60- Monitor for additional signs of compromise, such as unusual email forwarding rules, external sharing of OneDrive files, or privilege escalation attempts.
 61- Educate users on OAuth phishing risks and encourage the use of **Microsoft Defender for Office 365 Safe Links** to mitigate credential-based attacks.
 62- Enable continuous monitoring for OAuth authentication anomalies using **Microsoft Entra ID sign-in logs** and security tools.
 63"""
 64references = [
 65    "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",
 66]
 67risk_score = 47
 68rule_id = "0e524fa6-eed3-11ef-82b4-f661ea17fbce"
 69severity = "medium"
 70tags = [
 71    "Domain: Cloud",
 72    "Domain: SaaS",
 73    "Data Source: Microsoft 365",
 74    "Data Source: SharePoint",
 75    "Data Source: OneDrive",
 76    "Use Case: Threat Detection",
 77    "Tactic: Collection",
 78    "Tactic: Exfiltration",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "esql"
 83
 84query = '''
 85FROM logs-o365.audit-*
 86| WHERE @timestamp > now() - 14 day
 87| WHERE
 88    event.dataset == "o365.audit" and
 89
 90    // filter on files downloaded from OneDrive
 91    event.provider == "OneDrive" and
 92    event.action == "FileDownloaded" and
 93
 94    // filter on OAuth authentication which encompasses device code workflow
 95    o365.audit.AuthenticationType == "OAuth"
 96    and event.outcome == "success"
 97// bucket authentication attempts by 1 minute
 98| EVAL target_time_window = DATE_TRUNC(1 minutes, @timestamp)
 99| KEEP target_time_window, o365.audit.UserId, file.name, source.ip
100
101// aggregate on unique file names and download attempts
102| STATS unique_file_count = count_distinct(file.name), download_attempt_count = count(*) BY target_time_window, o365.audit.UserId, source.ip
103
104// adjustable range for "excessive" unique files that were downloaded
105| WHERE unique_file_count >= 25
106'''
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1530"
113name = "Data from Cloud Storage"
114reference = "https://attack.mitre.org/techniques/T1530/"
115
116
117[rule.threat.tactic]
118id = "TA0009"
119name = "Collection"
120reference = "https://attack.mitre.org/tactics/TA0009/"
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124
125[rule.threat.tactic]
126id = "TA0010"
127name = "Exfiltration"
128reference = "https://attack.mitre.org/tactics/TA0010/"