Skip to content
Threat Feed
high advisory

SharePoint Malware Upload for Lateral Movement

Attackers can upload malware to SharePoint, leveraging the platform's file-sharing capabilities to propagate threats laterally within an organization and compromise additional systems.

This detection identifies instances of malware being uploaded to SharePoint, which can be exploited by attackers to move laterally within an organization. The attackers can abuse the File Sharing and Organization Repositories to spread malware within the company and amplify their access. Unsuspecting users may share these files without recognizing their malicious nature, thereby creating opportunities for adversaries to gain initial access to other endpoints in the environment. This detection rule is based on Microsoft 365 audit logs and specifically targets events where SharePoint's file scanning engine has flagged a file upload as malicious. The rule is designed to help security teams quickly identify and respond to potential lateral movement attempts within their Microsoft 365 environment.

Attack Chain

  1. An attacker gains initial access to a user account through phishing or credential compromise.
  2. The attacker logs into the compromised account and accesses SharePoint.
  3. The attacker uploads a malicious file (e.g., a document with a macro or an executable) to a SharePoint library.
  4. The SharePoint file scanning engine detects the uploaded file as malware (event code: SharePointFileOperation and event action: FileMalwareDetected).
  5. Other users within the organization access or download the malicious file from SharePoint.
  6. The malware executes on the user's endpoint, leading to system compromise.
  7. The attacker leverages the compromised system to further move laterally within the network, potentially gaining access to sensitive data or critical systems.
  8. The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or long-term persistence within the environment.

Impact

A successful malware upload to SharePoint can lead to widespread compromise within an organization. Lateral movement can affect multiple users and systems, potentially leading to data breaches, financial losses, and reputational damage. The impact depends on the type of malware uploaded and the access privileges of the compromised accounts. Organizations can experience significant disruption to business operations, with remediation efforts requiring extensive time and resources.

Recommendation

  • Enable the Office 365 Logs Fleet integration or Filebeat module to collect Microsoft 365 audit logs, which are necessary to activate the rules below.
  • Deploy the Sigma rule M365 SharePoint Malware File Detected to your SIEM to detect malware uploads to SharePoint.
  • Review the investigation guide in the rule's note section to improve triage and incident response capabilities.
  • Implement enhanced monitoring and logging for SharePoint and related services to detect any future attempts to upload or share malicious files.

Detection coverage 2

M365 SharePoint Malware File Detected

high

Detects files uploaded to SharePoint that are flagged as malware by the file scanning engine.

sigma tactics: lateral_movement, resource_development techniques: T1080, T1608, T1608.001 sources: audit, o365

Suspicious SharePoint File Upload - High Volume

medium

Detects a user uploading a high volume of files to SharePoint within a short time, which could indicate an attacker staging malware.

sigma tactics: resource_development techniques: T1608, T1608.001 sources: audit, o365

Detection queries are available on the platform. Get full rules →