Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Malware Downloaded from SharePoint [RULE-1522]

This rule detects when a user downloads a file from SharePoint Online that has been identified as malware by Microsoft Defender. Unlike RULE-1521 which detects malware being uploaded, this rule specifically alerts on the download of an infected file. If the user executes the downloaded malware, it could compromise their workstation and potentially spread to other systems on the network.

Rationale

SharePoint Online serves as a central document repository where employees access and download files for their daily work. When malware is present on SharePoint and a user downloads it, the threat has moved from the cloud to the user's local device. This is a critical moment in the attack chain because a file on a local device is much more likely to be executed than one stored in the cloud.

This detection corresponds to MITRE ATT&CK T1080 (Taint Shared Content), where adversaries place malicious content in shared storage resources so that other users download and execute it. This can be part of a targeted attack where an attacker specifically places malware on a SharePoint site they know the target accesses, or it can be opportunistic spreading from an already-compromised account.

The risk is compounded because users often trust files from their organization's SharePoint environment. They are more likely to open a file from SharePoint without suspicion than one received via email from an unknown sender. If the malware is executed, the consequences can include data theft, ransomware deployment, credential harvesting, or the establishment of a persistent backdoor on the user's device. Furthermore, if the device is connected to the corporate network, the malware could spread laterally to other systems.

Follow-up

Follow these steps to adequately address this detection:

  1. Identify the affected user and file: Determine which user downloaded the file, which file was downloaded, and from which SharePoint location. Check whether the user has already opened or executed the file.

    • If no: The download was not intentional or the file is confirmed malicious:

      1. Contact the user immediately: Instruct them not to open the downloaded file. If they have already opened it, proceed to step 2.
      2. Scan the user's device: Run a full anti-virus scan on the device using Microsoft Defender for Endpoint or your organization's endpoint protection solution. Check for indicators of compromise such as unexpected processes, network connections, or file modifications.
      3. Quarantine the device if compromised: If the scan reveals that the malware was executed or if the device shows signs of active infection, isolate the device from the network immediately.
      4. Remove the malware from SharePoint: Ensure the infected file is removed or quarantined on SharePoint to prevent other users from downloading it. Investigate who originally uploaded the file and scan their device as well.
      5. Check for further spread: Review whether other users have also downloaded the same file. If so, repeat the scan and containment steps for each affected user.
      6. Consider engaging Attic's IR team for a thorough investigation if the malware was executed or if multiple users are affected. An IR Credit Pack is required for this service.

    • If yes: The download was part of a known security test or the file is a known false positive:

      1. Verify with the responsible team that the activity was authorized and documented.
      2. If acceptable: close the incident and ensure the test file is cleaned up from both SharePoint and the user's device.

More information