Query Details
RULE 16 M365 One Drive External Share New Domain
Query
// Rule : M365 - OneDrive External Sharing Spike to New Domains
// Severity: High
// Tactics : Exfiltration
// MITRE : T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage)
// Freq : PT1H Period: PT1H
// Description: Detects when a user shares OneDrive files with external email addresses
// from domains not seen in the past 14 days, especially in bulk.
// New external domain + high volume = elevated exfiltration risk.
//==========================================================================================
let LookbackPeriod = 1h;
let BaselineDays = 14d;
let SharingThreshold = 10; // unique external users shared with in 1 hour
// Known external domains in baseline
let KnownExternalDomains = OfficeActivity
| where TimeGenerated between (ago(BaselineDays) .. ago(LookbackPeriod))
| where RecordType in ("SharePoint", "OneDrive")
| where Operation in ("SharingInvitationCreated", "AddedToSecureLink")
| extend TargetDomain = tostring(split(TargetUserOrGroupName, "@")[1])
| where isnotempty(TargetDomain)
| distinct UserId, TargetDomain;
// Current hour sharing
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("SharePoint", "OneDrive")
| where Operation in (
"SharingInvitationCreated", "AddedToSecureLink",
"AnonymousLinkCreated", "SharingSet")
| extend
TargetUser = tostring(TargetUserOrGroupName),
TargetDomain = tostring(split(TargetUserOrGroupName, "@")[1])
| where TargetUser !has UserId // only external, not self-share
| join kind=leftanti KnownExternalDomains on UserId, TargetDomain
| summarize
SharedCount = count(),
UniqueExtDomains = dcount(TargetDomain),
ExternalUsers = make_set(TargetUser, 20),
ExtDomainList = make_set(TargetDomain, 10),
FilesShared = make_set(SourceFileName, 15),
SiteURLs = make_set(SiteUrl, 5)
by UserId
| where SharedCount >= SharingThreshold or UniqueExtDomains >= 3
| extend AlertSeverity = case(
UniqueExtDomains >= 5, "High",
SharedCount >= 20, "High",
"Medium")
| project
TimeGenerated = now(),
UserId,
SharedCount,
UniqueExtDomains,
ExtDomainList,
ExternalUsers,
FilesShared,
SiteURLs,
AlertSeverity
Explanation
This query is designed to detect potential data exfiltration risks in Microsoft 365 OneDrive by identifying unusual external file sharing activities. Here's a simplified breakdown:
-
Purpose: The query aims to identify when a user shares OneDrive files with external email addresses from new domains that haven't been seen in the past 14 days. It focuses on detecting bulk sharing to these new domains, which could indicate a higher risk of data exfiltration.
-
Lookback Period: The query examines activities within the last hour.
-
Baseline: It establishes a baseline by identifying known external domains that have been interacted with over the past 14 days.
-
Current Activity: It then looks at the current hour's sharing activities, specifically targeting operations like creating sharing invitations or links.
-
Filtering: The query filters out any sharing activities that involve known external domains or self-sharing (i.e., sharing with oneself).
-
Analysis: It summarizes the data to count the number of shares, the number of unique new external domains, and lists of external users, domains, files shared, and site URLs involved.
-
Alert Conditions: An alert is triggered if the number of shares is 10 or more, or if there are 3 or more unique new external domains involved. The severity of the alert is classified as "High" if there are 5 or more unique domains or 20 or more shares; otherwise, it is "Medium."
-
Output: The query outputs details such as the time of detection, user ID, number of shares, unique domains, lists of external users and domains, files shared, site URLs, and the alert severity.
In essence, this query helps identify and alert on potentially risky sharing behavior in OneDrive, focusing on new and unusual external sharing patterns.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators