Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Malware Detected on SharePoint [RULE-1521]

This rule detects when Microsoft Defender identifies malware in a file that has been uploaded to SharePoint Online. SharePoint has built-in anti-virus controls that automatically scan uploaded files. When malware is detected, the file is quarantined and cannot be downloaded or opened by other users. While the quarantined file itself no longer poses a direct risk, this detection signals that a user's device may be infected with malware that needs to be investigated and remediated.

Rationale

SharePoint Online is a central collaboration platform where employees store and share documents across the organization. When an infected file is uploaded to SharePoint, it indicates that malware is present on the uploading user's device. The built-in Microsoft Defender for Office 365 scanning catches the malware at upload time and quarantines the file, preventing it from spreading further through SharePoint. However, the underlying problem -- a compromised endpoint -- remains.

This detection maps to MITRE ATT&CK T1080 (Taint Shared Content), where adversaries deliver malicious content through shared storage resources. Attackers may intentionally upload malware to shared locations to distribute it to other users, or the upload may be the result of an already-infected endpoint where malware is spreading to all accessible storage locations.

If the malware on the user's device is not addressed, it can continue to exfiltrate data, spread to network shares, or serve as a foothold for further attacks. Additionally, other copies of the same file may exist on the user's local machine, other cloud storage services, or USB drives. A thorough investigation of the source device is essential to ensure the infection is fully contained and remediated.

Follow-up

Follow these steps to adequately address this detection:

  1. Identify the source: Review which user uploaded the infected file, from which device, and to which SharePoint site. Determine whether this was an intentional upload or the result of automated synchronization (e.g., OneDrive sync).

    • If no: The file appears to be malicious and the upload was not a deliberate test:

      1. Scan the source device: Run a full anti-virus scan on the device of the user who uploaded the file. Use Microsoft Defender for Endpoint or your organization's endpoint protection solution.
      2. Quarantine the device if necessary: If the scan reveals active malware or if the device shows signs of compromise, isolate it from the network to prevent lateral movement.
      3. Check for additional copies: Search for the same file name or hash across other SharePoint sites, OneDrive locations, and network shares where the user has access.
      4. Review the user's recent activity: Check whether the user has uploaded other suspicious files or whether the account shows signs of compromise (unusual sign-in locations, mail forwarding rules, etc.).
      5. Consider engaging Attic's IR team for a comprehensive endpoint investigation if the malware appears to be advanced or if multiple devices are affected. An IR Credit Pack is required for this service.

    • If yes: The file was uploaded deliberately as part of a security test or known process:

      1. Verify with the responsible team that the test was authorized and documented.
      2. If acceptable: close the incident and ensure the test file is removed from SharePoint.

More information