EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

O365 Exfiltration via File Access

The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts.

MITRE ATT&CK

T1567T1530

Detection Query

`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg)
| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
| where NOT match(SiteUrl,user_flat)
| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
| eventstats avg(count) as avg stdev(count) as stdev by Workload
| rename SiteUrl as file_path,Workload as app
| where count > 50 AND count > (avg + (3*(stdev)))
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_exfiltration_via_file_access_filter`

Author

Steven Dick

Created

2026-03-10

Data Sources

Office 365 Universal Audit Log

References

Tags

Data ExfiltrationOffice 365 Account Takeover
Raw Content
name: O365 Exfiltration via File Access
id: 80b44ae2-60ff-43f1-8e56-34beb49a340a
version: 4
date: '2026-03-10'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts.
data_source:
    - Office 365 Universal Audit Log
search: |-
    `o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg)
    | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
    | where NOT match(SiteUrl,user_flat)
    | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
    | eventstats avg(count) as avg stdev(count) as stdev by Workload
    | rename SiteUrl as file_path,Workload as app
    | where count > 50 AND count > (avg + (3*(stdev)))
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `o365_exfiltration_via_file_access_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed.
references:
    - https://attack.mitre.org/techniques/T1567/exfil
    - https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data
    - https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: Investigate file access by $user$
      search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Data Exfiltration
        - Office 365 Account Takeover
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1567
        - T1530
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log
          source: o365
          sourcetype: o365:management:activity