M365 SharePoint/OneDrive File Access via PowerShell
Detects file downloads and access from OneDrive or SharePoint using PowerShell-based user agents, which adversaries leverage with compromised OAuth tokens to exfiltrate data.
This detection identifies suspicious file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Attackers often compromise OAuth tokens via device code phishing (as seen in Volexity's reporting on Russian threat actors in February 2025) or other credential theft techniques and then use native PowerShell cmdlets (like Invoke-WebRequest or Invoke-RestMethod) with the Microsoft Graph API to exfiltrate data. This activity stands out because typical users access SharePoint/OneDrive via browsers or sync clients. The rule also detects PnP PowerShell module usage for file operations, commonly used by administrators, and includes FileAccessed events to uncover adversaries reading file content via API (specifically the /content endpoint) and saving it locally, circumventing traditional download methods.
Attack Chain
- The attacker compromises a user's credentials or obtains an OAuth token, possibly through device code phishing.
- The attacker authenticates to Microsoft 365 using the compromised credentials or OAuth token.
- The attacker uses PowerShell with a user agent containing terms like
PowerShell,PnPPS,PnPCoreSDK, orSharePointPnP. - The attacker uses PowerShell cmdlets (e.g.,
Invoke-WebRequest,Invoke-RestMethod) to interact with the Microsoft Graph API. - The attacker enumerates files and directories within SharePoint or OneDrive.
- The attacker accesses or downloads files using the Graph API's
/contentendpoint or standard file download methods. - The
FileAccessedorFileDownloadedevent is logged in the M365 audit logs. - The attacker exfiltrates the downloaded content.
Impact
A successful attack can lead to the exfiltration of sensitive data from SharePoint and OneDrive. The risk score is rated as 47/100. Depending on the compromised user's access, this could include confidential documents, financial records, or intellectual property. The impact includes potential financial loss, reputational damage, and regulatory fines. The "ShinyHunters" group (mentioned in the Google blog) has used similar techniques for SaaS data theft.
Recommendation
- Deploy the Sigma rule
M365 SharePoint/OneDrive File Access via PowerShellto your SIEM and tune for your environment to detect suspicious file access patterns (rules). - Investigate any alerts generated by the Sigma rule by examining the user agent, source IP, accessed files, and authentication method (rules).
- Implement conditional access policies to restrict device code authentication flows to mitigate OAuth token compromise (references).
- Review OAuth application permissions in your tenant and revoke unnecessary or suspicious permissions (references).
- Monitor M365 audit logs, specifically
FileDownloadedandFileAccessedevents from SharePoint and OneDrive, for unusual PowerShell-based activity (logsource).
Detection coverage 2
M365 SharePoint/OneDrive File Access via PowerShell
mediumDetects file downloads and access from OneDrive or SharePoint using PowerShell-based user agents.
M365 SharePoint File Accessed via PnP PowerShell
lowDetects files accessed in SharePoint using PnP PowerShell modules, potentially indicating unauthorized access.
Detection queries are available on the platform. Get full rules →