General
This alarm is triggered when SharePoint (including OneDrive) detects malware in a file.
Rationale
Employees can upload files to SharePoint and OneDrive from systems that may not have antivirus software, where the antivirus software was not up-to-date, or where the antivirus software did not yet recognize a particular virus. As a result, a file may be uploaded to SharePoint or later downloaded that turns out to contain a virus. It is always advisable to investigate where this virus came from, as it may indicate that a system or user account of an employee has been compromised.
Follow-up
Perform these steps to adequately follow up on this detection:
- Ask the employee who uploaded the file if this was done intentionally.
-
If not: consider the employee's account as compromised
- Reset the employee's password
- Revoke all logged-in sessions of the administrator
-
If not: consider the employee's account as compromised
- Download the file from SharePoint to secure it for analysis and then delete it from SharePoint.
- Perform a full system scan with up-to-date antivirus software on the employee's computer from which the file was uploaded. If the system in question does not contain antivirus software, HitmanPro or Malwarebytes can be used.
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?). This is strongly advised if the affected employee has administrative rights.
Comments
0 comments
Please sign in to leave a comment.