|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/02/19" |
| 3 | +integration = ["o365"] |
| 4 | +maturity = "production" |
| 5 | +min_stack_comments = "ES|QL in technical preview" |
| 6 | +min_stack_version = "8.13.0" |
| 7 | +updated_date = "2025/02/19" |
| 8 | + |
| 9 | +[rule] |
| 10 | +author = ["Elastic"] |
| 11 | +description = """ |
| 12 | +Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may |
| 13 | +conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download |
| 14 | +files from OneDrive. |
| 15 | +""" |
| 16 | +false_positives = [ |
| 17 | + """ |
| 18 | + Legitimate users may download files from OneDrive using OAuth authentication. Ensure that the downloads are |
| 19 | + authorized and the user is known before taking action. |
| 20 | + """, |
| 21 | +] |
| 22 | +from = "now-9m" |
| 23 | +language = "esql" |
| 24 | +license = "Elastic License v2" |
| 25 | +name = "M365 OneDrive Excessive File Downloads with OAuth Token" |
| 26 | +note = """## Triage and Analysis |
| 27 | +
|
| 28 | +### Investigating M365 OneDrive Excessive File Downloads with OAuth Token |
| 29 | +
|
| 30 | +This rule detects an excessive number of files downloaded from OneDrive using OAuth authentication. Threat actors may use OAuth phishing attacks, such as **Device Code Authentication phishing**, to obtain valid access tokens and perform unauthorized data exfiltration. This method allows adversaries to bypass traditional authentication mechanisms, making it a stealthy and effective technique. |
| 31 | +
|
| 32 | +This rule leverages ES|QL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested. |
| 33 | +
|
| 34 | +#### Possible Investigation Steps |
| 35 | +
|
| 36 | +- Review the `o365.audit.UserId` field to identify the user who performed the downloads. Check if this user typically downloads large amounts of data from OneDrive. |
| 37 | +- Correlate `o365.audit.UserId` with Entra Sign-In logs to verify the authentication method used and determine if it was expected for this user. |
| 38 | +- Review the authentication method used. If OAuth authentication was used, investigate whether it was expected for this user. |
| 39 | +- Identify the client application used for authentication. Determine if it is a legitimate enterprise-approved app or an unauthorized third-party application. |
| 40 | +- Check the number of unique files downloaded. If a user downloads a high volume of unique files in a short period, it may indicate data exfiltration. |
| 41 | +- Analyze the file types and directories accessed to determine if sensitive or confidential data was involved. |
| 42 | +- Investigate the source IP address and geolocation of the download activity. If it originates from an unusual or anonymized location, further scrutiny is needed. |
| 43 | +- Review other recent activities from the same user, such as file access, sharing, or permission changes, that may indicate further compromise. |
| 44 | +- Check for signs of session persistence using OAuth. If Azure sign-in logs are correlated where `authentication_protocol` or `originalTransferMethod` field shows `deviceCode`, the session was established through device code authentication. |
| 45 | +- Look for multiple authentication attempts from different devices or locations within a short timeframe, which could indicate unauthorized access. |
| 46 | +- Investigate if other OAuth-related anomalies exist, such as consent grants for unfamiliar applications or unexpected refresh token activity. |
| 47 | +- Review the `file.directory` value from the original documents to identify the specific folders or paths where the files were downloaded. |
| 48 | +
|
| 49 | +### False Positive Analysis |
| 50 | +
|
| 51 | +- Verify if the user regularly downloads large batches of files as part of their job function. |
| 52 | +- Determine if the downloads were triggered by an authorized automated process, such as a data backup or synchronization tool. |
| 53 | +- Confirm if the detected OAuth application is approved for enterprise use and aligns with expected usage patterns. |
| 54 | +
|
| 55 | +### Response and Remediation |
| 56 | +
|
| 57 | +- If unauthorized activity is confirmed, revoke the OAuth token used and terminate active OneDrive sessions. |
| 58 | +- Reset the affected user's password and require reauthentication to prevent continued unauthorized access. |
| 59 | +- Restrict OAuth app permissions and enforce conditional access policies to limit authentication to trusted devices and applications. |
| 60 | +- Monitor for additional signs of compromise, such as unusual email forwarding rules, external sharing of OneDrive files, or privilege escalation attempts. |
| 61 | +- Educate users on OAuth phishing risks and encourage the use of **Microsoft Defender for Office 365 Safe Links** to mitigate credential-based attacks. |
| 62 | +- Enable continuous monitoring for OAuth authentication anomalies using **Microsoft Entra ID sign-in logs** and security tools. |
| 63 | +""" |
| 64 | +references = [ |
| 65 | + "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/", |
| 66 | +] |
| 67 | +risk_score = 47 |
| 68 | +rule_id = "0e524fa6-eed3-11ef-82b4-f661ea17fbce" |
| 69 | +severity = "medium" |
| 70 | +tags = [ |
| 71 | + "Domain: Cloud", |
| 72 | + "Domain: SaaS", |
| 73 | + "Data Source: Microsoft 365", |
| 74 | + "Data Source: SharePoint", |
| 75 | + "Data Source: OneDrive", |
| 76 | + "Use Case: Threat Detection", |
| 77 | + "Tactic: Collection", |
| 78 | + "Tactic: Exfiltration", |
| 79 | + "Resources: Investigation Guide", |
| 80 | +] |
| 81 | +timestamp_override = "event.ingested" |
| 82 | +type = "esql" |
| 83 | + |
| 84 | +query = ''' |
| 85 | +FROM logs-o365.audit-* |
| 86 | +| WHERE @timestamp > now() - 14 day |
| 87 | +| WHERE |
| 88 | + event.dataset == "o365.audit" and |
| 89 | +
|
| 90 | + // filter on files downloaded from OneDrive |
| 91 | + event.provider == "OneDrive" and |
| 92 | + event.action == "FileDownloaded" and |
| 93 | +
|
| 94 | + // filter on OAuth authentication which encompasses device code workflow |
| 95 | + o365.audit.AuthenticationType == "OAuth" |
| 96 | + and event.outcome == "success" |
| 97 | +// bucket authentication attempts by 1 minute |
| 98 | +| EVAL target_time_window = DATE_TRUNC(1 minutes, @timestamp) |
| 99 | +| KEEP target_time_window, o365.audit.UserId, file.name, source.ip |
| 100 | +
|
| 101 | +// aggregate on unique file names and download attempts |
| 102 | +| STATS unique_file_count = count_distinct(file.name), download_attempt_count = count(*) BY target_time_window, o365.audit.UserId, source.ip |
| 103 | +
|
| 104 | +// adjustable range for "excessive" unique files that were downloaded |
| 105 | +| WHERE unique_file_count >= 25 |
| 106 | +''' |
| 107 | + |
| 108 | + |
| 109 | +[[rule.threat]] |
| 110 | +framework = "MITRE ATT&CK" |
| 111 | +[[rule.threat.technique]] |
| 112 | +id = "T1530" |
| 113 | +name = "Data from Cloud Storage" |
| 114 | +reference = "https://attack.mitre.org/techniques/T1530/" |
| 115 | + |
| 116 | + |
| 117 | +[rule.threat.tactic] |
| 118 | +id = "TA0009" |
| 119 | +name = "Collection" |
| 120 | +reference = "https://attack.mitre.org/tactics/TA0009/" |
| 121 | + |
| 122 | +[[rule.threat]] |
| 123 | +framework = "MITRE ATT&CK" |
| 124 | + |
| 125 | +[rule.threat.tactic] |
| 126 | +id = "TA0010" |
| 127 | +name = "Exfiltration" |
| 128 | +reference = "https://attack.mitre.org/tactics/TA0010/" |
| 129 | + |
0 commit comments