Malware detections by Workload Locations

Hunt Hypothesis

Adversaries may leverage SharePoint, OneDrive, or Teams to store and execute malware, exploiting the widespread use of these platforms to evade traditional detection. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data exfiltration tactics hidden within legitimate cloud storage environments.

KQL Query

CloudAppEvents
| where ActionType == 'FileMalwareDetected'
| project location=(split(RawEventData.SiteUrl, '/')[4])
| summarize count() by tostring(location)
| sort by count_ desc
| render columnchart

Analytic Rule Definition

id: bb6afb85-8e80-4c98-b73b-c2c821528a1c
name: Malware detections by Workload Locations
description: |
  This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the locations they are stored
description-detailed: |
  This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the locations they are stored
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where ActionType == 'FileMalwareDetected'
  | project location=(split(RawEventData.SiteUrl, '/')[4])
  | summarize count() by tostring(location)
  | sort by count_ desc
  | render columnchart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Malware/Malware detections by Workload Locations.yaml)

False Positive Guidance

Scenario: Scheduled Backup Job to SharePoint
Description: A nightly backup job uploads files to a SharePoint document library as part of a standard data protection process.
Filter/Exclusion: Exclude files uploaded by the backup tool Veeam Backup & Replication to the SharePoint location Backup-SharePoint-Dev.
Scenario: Admin Task to OneDrive for Compliance
Description: An admin manually uploads sensitive files to OneDrive for compliance purposes, triggering a malware detection due to file type or content scan.
Filter/Exclusion: Exclude files uploaded by the admin user ComplianceAdmin to the OneDrive folder Compliance-Files.
Scenario: Teams File Sync with External Storage
Description: A Teams user syncs files from an external storage system (e.g., NAS) to a Teams channel, which is then scanned by the endpoint protection tool.
Filter/Exclusion: Exclude files synced via the Teams client to the location Teams-Shared-Storage with the file extension .zip or .tar.
Scenario: Automated Reporting Job to SharePoint
Description: A reporting tool (e.g., Power BI) generates reports and uploads them to a SharePoint site as part of an automated process.
Filter/Exclusion: Exclude files uploaded by the service account PowerBI-Service to the SharePoint folder Reports-Dev.
Scenario: User-Initiated File Upload to Teams
Description: A user uploads a file (e.g., a PDF or Word document) to a Teams channel, which is then scanned by the endpoint protection system.
Filter/Exclusion: Exclude files uploaded by users in the group IT-Staff to the Teams location IT-Resources.