Entra ID Sharepoint or OneDrive Accessed by Unusual Client
An application accessing SharePoint Online or OneDrive for Business for the first time in a tenant could indicate OAuth phishing, illicit consent grants, or compromised third-party apps accessing file storage.
This detection identifies when an application accesses SharePoint Online or OneDrive for Business for the first time within a tenant. This is a critical signal for detecting successful OAuth phishing campaigns, where users are tricked into granting consent to malicious applications. Once consent is granted, the malicious app can persistently access file storage without further user interaction. This also catches illicit consent grants, compromised third-party applications, or custom malicious apps registered by adversaries. The rule uses data from Entra ID sign-in logs to identify new application IDs accessing SharePoint or OneDrive resources. The rule looks back 9 months to establish a baseline of known applications.
Attack Chain
- The attacker sends a phishing email with a link to a malicious OAuth application.
- The victim clicks the link and is redirected to a legitimate-looking consent page.
- The victim grants consent to the malicious application, unknowingly providing access to their data.
- The malicious application authenticates to Entra ID using the granted consent.
- The application accesses SharePoint Online or OneDrive for Business using the victim's permissions.
- The application exfiltrates sensitive data from SharePoint or OneDrive.
- The attacker uses the exfiltrated data for their objectives, such as financial gain or espionage.
Impact
A successful OAuth phishing campaign or illicit consent grant can lead to significant data breaches. An attacker gaining access to SharePoint Online or OneDrive for Business can steal sensitive documents, intellectual property, and other confidential information. This can result in financial losses, reputational damage, and legal liabilities. There is no specific number of victims or sectors targeted detailed in the provided source material.
Recommendation
- Deploy the Sigma rule "Entra ID Sharepoint or OneDrive Accessed by Unusual Client" to your SIEM and tune for your environment to detect initial access of unusual applications.
- Review
azure.signinlogs.properties.app_idandazure.signinlogs.properties.app_display_nameto identify the application and cross-reference with known legitimate applications, as described in the rule's Triage and Analysis section. - Monitor
azure.auditlogsfor recentConsent to applicationevents matching suspicious app IDs to identify how consent was granted, as documented in the rule's analysis section. - Implement Conditional Access policies to require admin consent for high-risk permissions and block unverified publishers, as recommended in the Response and Remediation section.
- Ensure that Microsoft Entra ID Sign-In Logs are being collected and streamed into the Elastic Stack via the Azure integration, as required by the rule setup.
Detection coverage 2
Entra ID Sharepoint or OneDrive Accessed by Unusual Client
mediumDetects when an application accesses SharePoint Online or OneDrive for Business for the first time in the tenant.
Entra ID Consent to Application Audit
lowDetects consent to a new application in Entra ID via Audit Logs.
Detection queries are available on the platform. Get full rules →