Elastic Security Detection Rules

M365 OneDrive Excessive File Downloads with OAuth Token

Last updated 23 days ago on 2025-07-10
Created 5 months ago on 2025-02-19

About

Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download files from OneDrive.
Tags
Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: SharePointData Source: OneDriveUse Case: Threat DetectionTactic: CollectionTactic: ExfiltrationLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Collection (TA0009)(opens in a new tab or window)

Data from Cloud Storage (T1530)(opens in a new tab or window)

Exfiltration (TA0010)(opens in a new tab or window)

False Positive Examples
Legitimate users may download files from OneDrive using OAuth authentication. Ensure that the downloads are authorized and the user is known before taking action.
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

o365(opens in a new tab or window)

Query
FROM logs-o365.audit-*
| WHERE @timestamp > now() - 14 day
| WHERE
    event.dataset == "o365.audit" and

    // filter on files downloaded from OneDrive
    event.provider == "OneDrive" and
    event.action == "FileDownloaded" and

    // filter on OAuth authentication which encompasses device code workflow
    o365.audit.AuthenticationType == "OAuth"
    and event.outcome == "success"
// bucket authentication attempts by 1 minute
| EVAL target_time_window = DATE_TRUNC(1 minutes, @timestamp)
| KEEP target_time_window, o365.audit.UserId, file.name, source.ip

// aggregate on unique file names and download attempts
| STATS unique_file_count = count_distinct(file.name), download_attempt_count = count(*) BY target_time_window, o365.audit.UserId, source.ip

// adjustable range for "excessive" unique files that were downloaded
| WHERE unique_file_count >= 25

Install detection rules in Elastic Security

Detect M365 OneDrive Excessive File Downloads with OAuth Token in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).