legitimate users may download files from onedrive using oauth authentication. ensure that the downloads are authorized and the user is known before taking action.

Techniques

T1530

Sample rules

M365 OneDrive Excessive File Downloads with OAuth Token

source: elastic
technicques:
- T1530

Description

Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download files from OneDrive.

Detection logic

from logs-o365.audit-*
| where
    @timestamp > now() - 14d and
    event.dataset == "o365.audit" and
    event.provider == "OneDrive" and
    event.action == "FileDownloaded" and
    o365.audit.AuthenticationType == "OAuth" and
    event.outcome == "success"
| eval
    Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
| keep
    Esql.time_window_date_trunc,
    o365.audit.UserId,
    file.name,
    source.ip
| stats
    Esql.file_name_count_distinct = count_distinct(file.name),
    Esql.event_count = count(*)
  by
    Esql.time_window_date_trunc,
    o365.audit.UserId,
    source.ip
| where
    Esql.file_name_count_distinct >= 25