Skip to content
Threat Feed
medium advisory

Excessive OneDrive File Downloads Detection

Detection of unusual high-volume file downloads from Microsoft OneDrive, potentially indicating data exfiltration by a compromised account or insider threat.

This brief focuses on detecting excessive file downloads from Microsoft OneDrive, a common cloud storage service used by organizations. While the provided source material does not detail a specific threat actor or campaign, the detection of anomalous download activity can indicate a compromised user account, insider threat, or malicious application attempting to exfiltrate sensitive data. Attackers may leverage compromised credentials or install malicious applications to access and download large amounts of data stored in OneDrive. Timely detection and response to such activity are crucial for preventing significant data loss. This detection strategy is especially relevant in environments with sensitive data stored in OneDrive.

Attack Chain

  1. Initial Access: An attacker gains access to a legitimate user's OneDrive account, potentially through credential compromise (phishing, password reuse, or brute-force attacks).
  2. Reconnaissance: The attacker explores the OneDrive account to identify valuable files and folders for exfiltration.
  3. Staging: The attacker may stage files by moving or copying them to a single location for easier downloading.
  4. Download Activity: The attacker initiates a large number of file download requests from OneDrive. This can be automated using scripts or tools to accelerate the process.
  5. Evasion (Optional): To avoid detection, the attacker might attempt to throttle the download speed or spread the downloads over a longer period.
  6. Exfiltration: The downloaded files are transferred to an external location controlled by the attacker.
  7. Cleanup (Optional): The attacker may attempt to delete logs or files to cover their tracks within the compromised OneDrive account.

Impact

Successful exfiltration of data from OneDrive can lead to significant financial losses, reputational damage, and legal liabilities. The impact depends on the sensitivity of the data stored in OneDrive. If the compromised account contains intellectual property, customer data, or other confidential information, the consequences can be severe, potentially affecting thousands or even millions of individuals.

Recommendation

  • Deploy the Sigma rule OneDrive Excessive File Download Activity to your SIEM and tune the threshold based on your organization's baseline OneDrive usage.
  • Enable and monitor Microsoft 365 audit logs for OneDrive file download events to ensure the Sigma rule can function correctly.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the download activity and identify potential compromised accounts.

Detection coverage 2

OneDrive Excessive File Download Activity

medium

Detects a user downloading an unusually large number of files from OneDrive within a short period, potentially indicating data exfiltration.

sigma tactics: exfiltration techniques: T1020 sources: cloudtrail, azure

OneDrive Large File Download

low

Detects a user downloading large files from OneDrive, which may indicate data exfiltration.

sigma tactics: exfiltration techniques: T1020 sources: cloudtrail, azure

Detection queries are available on the platform. Get full rules →