Skip to content
Threat Feed
medium advisory

M365 SharePoint/OneDrive File Access via PowerShell

Detects file downloads and access from OneDrive or SharePoint using PowerShell-based user agents, which adversaries leverage with compromised OAuth tokens to exfiltrate data.

This detection identifies suspicious file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Attackers often compromise OAuth tokens via device code phishing (as seen in Volexity's reporting on Russian threat actors in February 2025) or other credential theft techniques and then use native PowerShell cmdlets (like Invoke-WebRequest or Invoke-RestMethod) with the Microsoft Graph API to exfiltrate data. This activity stands out because typical users access SharePoint/OneDrive via browsers or sync clients. The rule also detects PnP PowerShell module usage for file operations, commonly used by administrators, and includes FileAccessed events to uncover adversaries reading file content via API (specifically the /content endpoint) and saving it locally, circumventing traditional download methods.

Attack Chain

  1. The attacker compromises a user's credentials or obtains an OAuth token, possibly through device code phishing.
  2. The attacker authenticates to Microsoft 365 using the compromised credentials or OAuth token.
  3. The attacker uses PowerShell with a user agent containing terms like PowerShell, PnPPS, PnPCoreSDK, or SharePointPnP.
  4. The attacker uses PowerShell cmdlets (e.g., Invoke-WebRequest, Invoke-RestMethod) to interact with the Microsoft Graph API.
  5. The attacker enumerates files and directories within SharePoint or OneDrive.
  6. The attacker accesses or downloads files using the Graph API's /content endpoint or standard file download methods.
  7. The FileAccessed or FileDownloaded event is logged in the M365 audit logs.
  8. The attacker exfiltrates the downloaded content.

Impact

A successful attack can lead to the exfiltration of sensitive data from SharePoint and OneDrive. The risk score is rated as 47/100. Depending on the compromised user's access, this could include confidential documents, financial records, or intellectual property. The impact includes potential financial loss, reputational damage, and regulatory fines. The "ShinyHunters" group (mentioned in the Google blog) has used similar techniques for SaaS data theft.

Recommendation

  • Deploy the Sigma rule M365 SharePoint/OneDrive File Access via PowerShell to your SIEM and tune for your environment to detect suspicious file access patterns (rules).
  • Investigate any alerts generated by the Sigma rule by examining the user agent, source IP, accessed files, and authentication method (rules).
  • Implement conditional access policies to restrict device code authentication flows to mitigate OAuth token compromise (references).
  • Review OAuth application permissions in your tenant and revoke unnecessary or suspicious permissions (references).
  • Monitor M365 audit logs, specifically FileDownloaded and FileAccessed events from SharePoint and OneDrive, for unusual PowerShell-based activity (logsource).

Detection coverage 2

M365 SharePoint/OneDrive File Access via PowerShell

medium

Detects file downloads and access from OneDrive or SharePoint using PowerShell-based user agents.

sigma tactics: collection, exfiltration techniques: T1213, T1213.002, T1530 sources: webserver, o365

M365 SharePoint File Accessed via PnP PowerShell

low

Detects files accessed in SharePoint using PnP PowerShell modules, potentially indicating unauthorized access.

sigma tactics: collection techniques: T1213, T1213.002 sources: webserver, o365

Detection queries are available on the platform. Get full rules →