Query Details
RULE 29 M365 Malware File Detected
Query
// Rule : M365 - Malware File Detected by SharePoint / OneDrive / Teams ATP
// Severity : High
// Tactics : InitialAccess, Execution
// MITRE : T1566 (Phishing), T1105 (Ingress Tool Transfer),
// T1204.002 (User Execution: Malicious File)
// Freq : PT15M / Period: PT1H
// Purpose : Fire whenever Microsoft 365 Advanced Threat Protection (ATP/Safe Attachments)
// reports a malware file in SharePoint, OneDrive, or Teams. Each event is
// individually serious — no volume threshold is applied. Severity escalates
// when the uploader is a guest or when the same malware hash is seen across
// multiple users/sites.
//==========================================================================================
let LookbackWindow = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackWindow)
| where Operation in (
"FileMalwareDetected",
"MalwareDetected",
"VirusDetected")
| extend
Workload = case(
RecordType in ("SharePoint","SharePointFileOperation"), "SharePoint",
RecordType in ("OneDrive","OneDriveFileOperation"), "OneDrive",
RecordType == "MicrosoftTeams", "Teams",
"Other"),
IsGuest = UserId has "#EXT#",
// EventData carries malware name in some tenants
MalwareName = tostring(parse_json(EventData).MalwareName),
MalwareFamily = tostring(parse_json(EventData).MalwareFamily),
FileHash = tostring(parse_json(EventData).FileHash)
// Aggregate within window to detect same malware seen by multiple users
| summarize
EventCount = count(),
AffectedUsers = make_set(UserId, 20),
UserCount = dcount(UserId),
AffectedSites = make_set(SiteUrl, 10),
SiteCount = dcount(SiteUrl),
GuestCount = countif(IsGuest),
FileNames = make_set(SourceFileName, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by MalwareName, MalwareFamily, FileHash, Workload
| extend AlertSeverity = case(
UserCount >= 5 or GuestCount >= 1, "High",
UserCount >= 2 or SiteCount >= 2, "High",
"High") // every malware detection is at least High
| project
MalwareName,
MalwareFamily,
FileHash,
Workload,
FirstSeen,
LastSeen,
EventCount,
UserCount,
GuestCount,
SiteCount,
AlertSeverity,
FileNames,
AffectedUsers,
AffectedSites
| sort by UserCount desc, SiteCount desc
Explanation
This query is designed to monitor and alert on malware detections in Microsoft 365 services like SharePoint, OneDrive, and Teams. Here's a simple breakdown:
-
Purpose: The query identifies when Microsoft 365 Advanced Threat Protection (ATP) detects a malware file in SharePoint, OneDrive, or Teams. It treats each detection as a serious event without needing multiple occurrences to trigger an alert.
-
Time Frame: It looks back over the past hour to find relevant events.
-
Detection Criteria: It checks for operations labeled as "FileMalwareDetected," "MalwareDetected," or "VirusDetected."
-
Data Extraction:
- Determines which service (SharePoint, OneDrive, or Teams) the malware was detected in.
- Identifies if the uploader is a guest user.
- Extracts details like malware name, family, and file hash from the event data.
-
Aggregation:
- Counts the number of events and unique users/sites affected.
- Collects lists of affected users, sites, and file names.
- Records the first and last time the malware was seen.
-
Severity Assessment:
- Sets the alert severity to "High" if the malware is seen by multiple users or sites, or if a guest user is involved.
- Every detection is considered at least "High" severity.
-
Output:
- Displays details such as malware name, family, file hash, affected service, time range of detection, number of events, users, and sites affected, and the alert severity.
- Sorts the results by the number of users and sites affected, prioritizing those with more widespread impact.
In essence, this query helps security teams quickly identify and respond to malware threats in Microsoft 365 environments, especially when multiple users or sites are affected or when guest users are involved.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators