LoFP / new legitimate applications or integrations recently deployed in the environment may trigger this detection during initial setup or rollout phases.

Techniques

• T1213
• T1566

Sample rules

Entra ID Sharepoint or OneDrive Accessed by Unusual Client

• source: elastic
• technicques:
  • T1213
  • T1566

Description

Identifies when an application accesses SharePoint Online or OneDrive for Business for the first time in the tenant within a specified timeframe. This detects successful OAuth phishing campaigns, illicit consent grants, or compromised third-party applications gaining initial access to file storage. Adversaries often use malicious OAuth applications or phishing techniques to gain consent from users, allowing persistent access to organizational data repositories without traditional credential theft.

Detection logic

event.dataset:azure.signinlogs
    and azure.signinlogs.properties.resource_id: (
        00000003-0000-0ff1-ce00-000000000000 or
        6a9b9266-8161-4a7b-913a-a9eda19da220
    ) and azure.signinlogs.properties.app_id: ( *
        and not (
            00000003-0000-0ff1-ce00-000000000000 or
            08e18876-6177-487e-b8b5-cf950c1e598c or
            ab9b8c07-8f02-4f72-87fa-80105867a763 or
            af124e86-4e96-495a-b70a-90f90ab96707
        )
    )
    and azure.signinlogs.properties.tenant_id:*
    and event.outcome:success