KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 27 M365 Suspicious File Extension Upload

Query

// Rule     : M365 - Suspicious File Extension Uploaded to SharePoint / OneDrive / Teams
// Severity : High
// Tactics  : InitialAccess, Execution, LateralMovement
// MITRE    : T1105 (Ingress Tool Transfer), T1566.002 (Phishing: Spear Phishing Link),
//            T1204.002 (User Execution: Malicious File)
// Freq     : PT1H  /  Period: P1D
// Purpose  : Detect uploads of executables, scripts, and other high-risk file types to
//            SharePoint, OneDrive, or Teams. Adversaries stage tools via cloud storage to
//            bypass perimeter email gateways. Rule fires on any single suspicious upload;
//            severity is scaled by extension risk tier.
//==========================================================================================

let LookbackDays = 1d;

// Tier-1 (High): binary executables and loaders
let Tier1 = dynamic([
    ".exe", ".dll", ".scr", ".pif", ".com", ".cpl",
    ".ocx", ".sys", ".drv"]);

// Tier-2 (High): scripting and macro languages
let Tier2 = dynamic([
    ".ps1", ".psm1", ".psd1",
    ".bat", ".cmd",
    ".vbs", ".vbe", ".js", ".jse", ".wsf", ".wsh",
    ".hta", ".sh", ".bash"]);

// Tier-3 (Medium): package installers and archives with code
let Tier3 = dynamic([
    ".msi", ".msp", ".mst",
    ".jar", ".war", ".ear",
    ".py", ".rb", ".pl", ".php"]);

OfficeActivity
| where TimeGenerated > ago(LookbackDays)
| where RecordType in (
    "SharePoint", "SharePointFileOperation",
    "OneDrive", "OneDriveFileOperation",
    "MicrosoftTeams")
| where Operation in (
    "FileUploaded",
    "FileSyncUploadedFull",
    "FileCheckedIn",
    "FileModifiedExtended",
    "FileAdded")
| extend FileName      = tostring(SourceFileName)
| extend FileExtension = tolower(extract(@"(\.[^.\\/:*?""<>|]+)$", 1, FileName))
| where FileExtension in (array_concat(Tier1, Tier2, Tier3))
| extend
    RiskTier    = case(
        FileExtension in (Tier1), "Tier1-Binary",
        FileExtension in (Tier2), "Tier2-Script",
        "Tier3-Installer"),
    AlertSeverity = case(
        FileExtension in (Tier1), "High",
        FileExtension in (Tier2), "High",
        "Medium"),
    Workload    = case(
        RecordType in ("SharePoint","SharePointFileOperation"), "SharePoint",
        RecordType in ("OneDrive","OneDriveFileOperation"),     "OneDrive",
        RecordType == "MicrosoftTeams",                        "Teams",
        "Other"),
    IsGuest     = UserId has "#EXT#"
| project
    TimeGenerated,
    UserId,
    IsGuest,
    Workload,
    Operation,
    FileName,
    FileExtension,
    RiskTier,
    AlertSeverity,
    SiteUrl,
    ClientIP,
    UserAgent
| sort by AlertSeverity asc, TimeGenerated desc

Explanation

This query is designed to detect potentially dangerous file uploads to Microsoft 365 services like SharePoint, OneDrive, and Teams. Here's a simple breakdown of what it does:

  1. Purpose: The query aims to identify uploads of executable files, scripts, and other risky file types to cloud storage services. This is important because attackers might use these services to bypass security measures like email gateways.

  2. Time Frame: It looks at activities from the past day.

  3. File Categories:

    • Tier-1 (High Risk): Includes binary executables like .exe and .dll.
    • Tier-2 (High Risk): Includes scripting files like .ps1 and .bat.
    • Tier-3 (Medium Risk): Includes installers and code archives like .msi and .jar.

  4. Data Source: It examines records from SharePoint, OneDrive, and Teams activities.

  5. Operations Monitored: It checks for file uploads, syncs, check-ins, modifications, and additions.

  6. File Extension Check: It extracts the file extension from the uploaded files and checks if it belongs to any of the risky categories (Tier-1, Tier-2, Tier-3).

  7. Risk Assessment:

    • Assigns a risk tier and alert severity based on the file extension.
    • High severity for Tier-1 and Tier-2 files, and medium for Tier-3.

  8. Additional Information:

    • Identifies if the user is a guest (external user).
    • Determines which service (SharePoint, OneDrive, Teams) the file was uploaded to.

  9. Output: The query projects relevant details like the time of the event, user ID, whether the user is a guest, the service used, the operation performed, file details, risk tier, alert severity, site URL, client IP, and user agent.

  10. Sorting: The results are sorted by alert severity (ascending) and time (descending), so the most recent and severe alerts are prioritized.

In summary, this query helps security teams monitor and respond to suspicious file uploads that could indicate malicious activity or security breaches.

Details

David Alonso profile picture

David Alonso

Released: March 18, 2026

Tables

OfficeActivity

Keywords

OfficeActivitySharePointOneDriveMicrosoftTeamsFileNameFileExtensionUserIdSiteUrlClientIPUserAgent

Operators

letdynamicagointostringtolowerextractarray_concatcasehasprojectsort by

Actions