Adversaries may use OneDrive or SharePoint to exfiltrate data or deliver malicious payloads by leveraging file sharing tactics. SOC teams should proactively hunt for this behavior to detect potential business email compromise (BEC) attacks that exploit cloud storage for lateral movement or data theft.
KQL Query
let securelinkCreated = CloudAppEvents
| where ActionType == "SecureLinkCreated"
| project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
| where isnotempty(ObjectName)
| distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20
id: cf8d2c27-8310-4b13-b135-1ba59ae0a3a2
name: BEC - File sharing tactics - OneDrive or SharePoint
description: |
This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint
description-detailed: |
This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint.
It highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.
Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- LateralMovement
relevantTechniques:
- T1021
query: |
let securelinkCreated = CloudAppEvents
| where ActionType == "SecureLinkCreated"
| project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
| where isnotempty(ObjectName)
| distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled backup job to OneDrive
Description: A legitimate scheduled backup process uploads files to OneDrive as part of a data protection strategy.
Filter/Exclusion: process.name != "backup.exe" OR process.name != "onedrive.exe" or check for file.path containing “backup” or “restore”.
Scenario: Admin user sharing files via SharePoint for collaboration
Description: An admin shares a document library with a team via SharePoint to facilitate project collaboration.
Filter/Exclusion: user.account != "admin_account" or check for user.role containing “admin” or “IT”.
Scenario: Automated file sync using Microsoft OneDrive Sync Client
Description: A company uses the OneDrive Sync Client to synchronize files between local machines and the cloud.
Filter/Exclusion: process.name != "OneDrive.exe" or check for file.path containing “sync” or “onedrive_sync”.
Scenario: Temporary file sharing for internal review
Description: A team shares a file via SharePoint for internal review before finalizing a document.
Filter/Exclusion: file.name containing “review” or “draft” or check for file.extension like .docx or .pdf.
Scenario: System-generated file transfer via OneDrive for compliance
Description: A compliance tool automatically transfers files to OneDrive for audit purposes.
Filter/Exclusion: process.name != "compliance_tool.exe" or check for file.path containing “audit” or “compliance”.