[New Rule] M365 SharePoint/OneDrive Sensitive Search and File Access

[terrancedejesus]

Summary

This PR introduces two new detection rules targeting adversary activity in Microsoft 365 SharePoint and OneDrive environments. These rules are based on observed TTPs from threat actors like ShinyHunters and APT29/Nobelium who leverage compromised OAuth tokens (often via device code phishing) to search for and exfiltrate sensitive data from SaaS environments.

Background

Recent threat intelligence highlights a growing trend of SaaS-focused attacks:

• ShinyHunters has been observed targeting enterprise SharePoint/OneDrive environments after compromising credentials, searching for sensitive terms like "password", "credentials", "financial", etc., before bulk downloading files.
• APT29/Nobelium and other Russian threat actors have been using device code phishing to obtain OAuth tokens, then leveraging PowerShell and Microsoft Graph API to access cloud resources.

These attacks bypass traditional endpoint detection since file access occurs entirely in the cloud via API calls.

New Rules

1. M365 SharePoint Search for Sensitive Content
   File: rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml

Detects search queries in SharePoint containing sensitive terms across multiple categories:

• Credentials/Secrets: password, credential, api key, token, certificate, aws, azure, gcp
• Financial: salary, payroll, budget, revenue, invoice, wire transfer, credit card
• Legal/Compliance: confidential, privileged, attorney, nda, merger, acquisition, litigation
• HR/PII: ssn, social security, employee, performance review, medical, hipaa, passport
• Infrastructure: admin, vpn, firewall, network diagram, database, backup, vulnerability

Detection Logic: EQL rule using o365.audit.SearchQueryText field with case-insensitive wildcard matching (like~).

2. M365 SharePoint/OneDrive File Access via PowerShell
   File: rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml

Detects file downloads or access from SharePoint/OneDrive using PowerShell-based user agents:

• WindowsPowerShell / PowerShell (native cmdlets)
• PnPPS / PnPCoreSDK / SharePointPnP (PnP PowerShell module)

Detection Logic: KQL rule matching FileDownloaded or FileAccessed events with PowerShell user agent patterns. Normal users access SharePoint via browsers or sync clients, making PowerShell-based access inherently suspicious.

Data Source

• Integration: Microsoft 365 (o365.audit)
• Index: logs-o365.audit-*
• Key Fields: o365.audit.SearchQueryText, user_agent.original, event.action

Validation

Rules were validated through adversary emulation using:

1. Device code phishing flow with public Microsoft client IDs
2. Native PowerShell (Invoke-RestMethod) with Microsoft Graph API
3. PnP PowerShell module for SharePoint access

References

• ShinyHunters SaaS Data Theft - Google Cloud Threat Intelligence