M365 OneDrive Malware File Upload
This rule detects files uploaded to OneDrive that are identified as malware by the file scanning engine, potentially leading to lateral movement and further compromise.
This detection rule identifies instances where files uploaded to Microsoft 365 OneDrive are flagged as malware by the built-in file scanning engine. Attackers may exploit OneDrive's file-sharing capabilities to spread malicious files laterally within an organization. Users can inadvertently share these files without being aware of their malicious nature, providing attackers with an opportunity to gain initial access or expand their foothold within the environment. This rule leverages logs from the Office 365 audit logs and Filebeat to detect these malicious file uploads. This detection is designed to identify files detected as malware after upload; it does not cover files that are already present in OneDrive. The rule has been actively maintained and updated, with the latest update occurring on February 25, 2026.
Attack Chain
- An attacker gains initial access to a user's account, possibly through phishing or credential stuffing.
- The attacker uploads a malicious file (e.g., a weaponized Office document or executable) to the compromised user's OneDrive.
- OneDrive's built-in malware detection engine scans the uploaded file.
- The file is flagged as malware by the scanning engine, triggering the
FileMalwareDetectedevent. - The compromised user or other users with access to the file may inadvertently share it with other users within the organization.
- Other users access the shared malicious file, potentially triggering malware execution on their endpoints.
- The malware executes and establishes persistence or attempts to move laterally within the network.
- The attacker achieves their objective, such as data exfiltration, ransomware deployment, or further compromise of the environment.
Impact
A successful attack exploiting malicious OneDrive file uploads can lead to widespread malware infection within an organization. This can result in data loss, system downtime, and financial losses. Lateral movement initiated through shared malicious files can significantly expand the scope of the breach and increase the cost of remediation. The severity is rated high, and a risk score of 73 is assigned due to the potential for lateral movement.
Recommendation
- Enable the Office 365 Logs Fleet integration or Filebeat module to collect the necessary audit logs, as mentioned in the rule's Setup section.
- Deploy the provided Sigma rule to your SIEM to detect
FileMalwareDetectedevents in OneDrive logs. - Investigate alerts generated by the Sigma rule, focusing on the user account associated with the upload and the file's sharing settings, as outlined in the Triage and analysis section.
- Configure alerts to trigger when the
event.codeisSharePointFileOperationand theevent.actionisFileMalwareDetectedas specified in the rule's query. - Review and tune the Sigma rule based on your environment's baseline activity to minimize false positives, referencing the suggested False positive analysis steps.
Detection coverage 2
M365 OneDrive Malware File Upload
highDetects files uploaded to OneDrive that are identified as malware by the file scanning engine.
M365 OneDrive Suspicious File Operation
mediumDetects SharePoint file operations within OneDrive that could indicate malicious activity.
Detection queries are available on the platform. Get full rules →