Query Details
RULE 20 M365 Cross Workload Exfiltration Chain
Query
// Rule : M365 - Cross-Workload Exfiltration Chain (Teams + OneDrive + Exchange)
// Severity: Critical
// Tactics : Collection, Exfiltration
// MITRE : T1530, T1537, T1114, T1213.003
// Freq : PT1H Period: PT1H
// Description: Detects a user who performs suspicious activity across at least two
// M365 workloads within one hour — combining mass downloads, external
// sharing, unusual mailbox access, and large file uploads. Multi-vector
// activity strongly elevates exfiltration confidence.
//==========================================================================================
let LookbackPeriod = 1h;
// OneDrive/SharePoint suspicious activity
let CloudStorageActivity = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("SharePoint", "OneDrive")
| where Operation in (
"FileDownloaded", "FileSyncDownloadedFull",
"AnonymousLinkCreated", "SharingInvitationCreated")
| summarize CloudCount = count() by UserId
| where CloudCount >= 20;
// Exchange suspicious activity
let MailActivity = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("ExchangeItem", "ExchangeAdmin")
| where Operation in (
"MailItemsAccessed", "New-InboxRule",
"New-MailboxExportRequest", "MessageViewed")
| summarize MailCount = count() by UserId
| where MailCount >= 30;
// Teams suspicious activity
let TeamsActivity = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "MicrosoftTeams"
| where Operation in (
"FileShared", "FileSent",
"MessageCreatedHasLink", "MemberAdded")
| where UserId has "#EXT#"
or Operation in ("FileShared", "FileSent")
| summarize TeamsCount = count() by UserId
| where TeamsCount >= 10;
// Correlate users present in >= 2 workloads
CloudStorageActivity
| join kind=inner MailActivity on UserId
| join kind=leftouter TeamsActivity on UserId
| extend
WorkloadsInvolved = case(
isnotempty(TeamsCount), "OneDrive+Exchange+Teams",
"OneDrive+Exchange"),
TeamsCount = coalesce(TeamsCount, 0)
| extend TotalSignals = CloudCount + MailCount + TeamsCount
| project
TimeGenerated = now(),
UserId,
CloudCount,
MailCount,
TeamsCount,
WorkloadsInvolved,
TotalSignals,
AlertSeverity = case(
isnotempty(TeamsCount) and TeamsCount > 0, "Critical",
TotalSignals >= 100, "High",
"Medium")
Explanation
This query is designed to detect potentially suspicious activities by a user across multiple Microsoft 365 services (OneDrive, Exchange, and Teams) within a one-hour period. Here's a simplified breakdown:
-
Purpose: The query aims to identify users who might be exfiltrating data by performing unusual activities across at least two different Microsoft 365 services within an hour.
-
Activities Monitored:
- OneDrive/SharePoint: Looks for users who download files, create anonymous links, or send sharing invitations, with a threshold of 20 such activities.
- Exchange: Monitors for users accessing mail items, creating new inbox rules, exporting mailboxes, or viewing messages, with a threshold of 30 activities.
- Teams: Checks for users sharing files, sending files, creating messages with links, or adding members, with a threshold of 10 activities. It also specifically looks for external users (indicated by "#EXT#").
-
Correlation: The query correlates users who have suspicious activities in at least two of these workloads (OneDrive/Exchange, or OneDrive/Exchange/Teams).
-
Output: For each user meeting the criteria, it provides:
- The number of suspicious activities in each service.
- The combination of services involved.
- The total number of suspicious signals.
- An alert severity level, which is "Critical" if Teams activity is involved, "High" if the total signals are 100 or more, and "Medium" otherwise.
This query helps in identifying potential data exfiltration by highlighting users with multi-vector suspicious activities across Microsoft 365 services.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators