RULE 10 M365 One Drive Ransomware Like Behavior
Query
// Rule : M365 - OneDrive Ransomware-Like File Replacement Pattern
// Severity: Critical
// Tactics : Impact
// MITRE : T1486 (Data Encrypted for Impact)
// Freq : PT30M Period: PT30M
// Description: Detects ransomware-like behavior in OneDrive where a user deletes
// or overwrites a large number of unique files within a short time window.
// Correlates FileDeleted + FileModified or upload of files with suspicious
// extensions (.locked, .encrypt, .cry, etc.)
//==========================================================================================
let RansomExtensions = dynamic([
".locked", ".encrypt", ".crypted", ".crypt", ".cry", ".wnry",
".wncry", ".wcry", ".ecc", ".ezz", ".exx", ".axx", ".abc",
".xyz", ".locky", ".crypz", ".zepto"
]);
let MassDeleteThreshold = 50; // files deleted/replaced in 30 min
let LookbackPeriod = 30m;
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "OneDrive"
| where Operation in ("FileDeleted", "FileModified", "FileUploaded", "FileVersionsAllDeleted")
| extend FileExt = tostring(extract(@"(\.[a-zA-Z0-9]+)$", 1, SourceFileName))
| extend IsSuspiciousExt = FileExt in~ (RansomExtensions)
| summarize
TotalOps = count(),
DeletedCount = countif(Operation == "FileDeleted"),
VersionsDeleted = countif(Operation == "FileVersionsAllDeleted"),
UploadedCount = countif(Operation == "FileUploaded"),
SuspiciousExtCount = countif(IsSuspiciousExt),
UniqueFiles = dcount(SourceFileName),
FileSample = make_set(SourceFileName, 15),
ClientIPs = make_set(ClientIP, 5)
by UserId
| where DeletedCount >= MassDeleteThreshold
or VersionsDeleted >= 10
or SuspiciousExtCount >= 5
| extend AlertSeverity = case(
SuspiciousExtCount >= 5 or VersionsDeleted >= 10, "Critical",
DeletedCount >= 200, "High",
"Medium")
| project
TimeGenerated = now(),
UserId,
DeletedCount,
VersionsDeleted,
UploadedCount,
SuspiciousExtCount,
UniqueFiles,
FileSample,
ClientIPs,
AlertSeverityExplanation
This query is designed to detect potential ransomware activity in OneDrive by monitoring for suspicious file operations. Here's a simplified breakdown:
-
Purpose: The query aims to identify ransomware-like behavior where a user deletes or modifies a large number of files in a short period, particularly focusing on files with extensions commonly associated with ransomware.
-
Key Components:
- RansomExtensions: A list of file extensions that are typically used by ransomware (e.g.,
.locked,.encrypt). - MassDeleteThreshold: A threshold set at 50 files, indicating the minimum number of deletions or modifications within 30 minutes that could trigger an alert.
- LookbackPeriod: The time window of 30 minutes during which file operations are monitored.
- RansomExtensions: A list of file extensions that are typically used by ransomware (e.g.,
-
Process:
- The query examines OneDrive activities within the last 30 minutes.
- It filters for operations like file deletion, modification, upload, and deletion of all file versions.
- It checks if the file extensions match those in the
RansomExtensionslist to flag suspicious files. - It summarizes the data by user, counting the total operations, deletions, uploads, and suspicious file extensions.
-
Alert Conditions:
- An alert is triggered if:
- 50 or more files are deleted.
- 10 or more file versions are deleted.
- 5 or more files with suspicious extensions are involved.
- The severity of the alert is determined based on the number of suspicious activities:
- "Critical" if there are many suspicious extensions or version deletions.
- "High" if there are 200 or more deletions.
- "Medium" otherwise.
- An alert is triggered if:
-
Output:
- The query outputs the current time, user ID, counts of various operations, a sample of file names, client IPs, and the alert severity level.
In essence, this query helps in early detection of ransomware attacks by identifying unusual patterns of file operations in OneDrive that resemble ransomware behavior.
Details

David Alonso
Released: March 18, 2026
Tables
OfficeActivity
Keywords
OfficeActivityOneDriveFileDeletedFileModifiedFileUploadedFileVersionsAllDeletedSourceFileNameClientIPUserId
Operators
letdynamicagoinextendtostringextractin~summarizecountcountifdcountmake_setbycaseprojectnow
MITRE Techniques