SharePoint and OneDrive Logs in M365: The Goldmine You’re Overlooking (with a Hidden Twist)
- Jul 21, 2025
- 3 min read
If you’ve been around the M365 security space long enough, you’ve heard the term Business Email Compromise (BEC) more times than you can count. It’s a term that makes most defenders instinctively focus on mailbox rules, phishing emails, and login anomalies.
But here’s the uncomfortable truth: email often isn’t the real target anymore.
More and more, attackers are skipping Outlook altogether and heading straight to the real goldmine — SharePoint and OneDrive.
-------------------------------------------------------------------------------------------------------------
🎯 Why Attackers Are Laser-Focused on SharePoint & OneDrive
Modern attackers understand one thing very well: organizations store their crown jewels in cloud storage, not just in emails. Here’s why SharePoint and OneDrive are so appealing:
✅ Structured folders and filenames make data discovery easy(No need to dig through email threads)
📁 Sensitive content like credentials, contracts, financials, and legal agreements are commonly stored
🔍 Search is fast and intuitive, especially for attackers with read access
🧪 Files are often linked across departments, giving attackers access to multiple teams
-------------------------------------------------------------------------------------------------------------
💡 Defenders: Expand Your Focus
So, here’s the takeaway:
If your BEC investigation ends at the mailbox, you might be missing the real breach.
Ask yourself:
Did the attacker touch SharePoint or OneDrive?
What documents were accessed? Downloaded?
Was anything uploaded back into the environment?
How fast did the attacker move?
-------------------------------------------------------------------------------------------------------------
Now comes to one question which you might have witnessed as well!
-------------------------------------------------------------------------------------------------------------
🚨 The SharePoint or Ondedrive Log Puzzle: What’s With the IPs?
When parsing SharePoint or Onedrive activity, one field naturally grabs attention: ClientIP. You’d expect this to reflect the end-user’s IP address — and sometimes it does.
But here’s the twist:
many of these IPs actually belong to Microsoft datacenters. That’s right — instead of pointing to the user's laptop in USA or Mumbai, you're sometimes staring at an Azure IP block from San Antonio or somewhere across the country. And that can throw off your investigation if you're not ready for it.
-------------------------------------------------------------------------------------------------------------
🧠 Why This Happens (According to Microsoft)
After digging through Microsoft’s documentation (and quite a bit of head-scratching), the explanation becomes clear — and honestly, kind of brilliant.
According to Microsoft:
“For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.”
In simple terms:
if a user edits a document via the Excel Web App or Word Online, that activity might come from a Microsoft backend service — not the user's physical machine.
What you're seeing is activity being routed:
Partly from the end-user's device
And partly from the Microsoft web service acting on their behalf
It’s like forensic shadow puppetry — the user pulls the strings, but the actions come from a different hand.
-------------------------------------------------------------------------------------------------------------
🎯 The Forensic Takeaway: Attribution Gets Tricky
So what does this mean for defenders?
It means you need to be extra cautious when attributing SharePoint activity. Specifically:
✅ Some activity truly originates from the user’s machine and IP
🔄 Other activity comes through Microsoft datacenters close to the user (regional)
❗ And occasionally, it comes from datacenters located hundreds or thousands of miles away
If you're not aware of this nuance, you might mistake legitimate user activity for lateral movement or threat actor behavior — or worse, ignore suspicious access altogether.
-------------------------------------------------------------------------------------------------------------
🧩 Clues Still Exist
The good news? SharePoint or Onedrive logs contain plenty of additional metadata — like UserAgent, Operation, and timestamps — that help you correlate events and validate whether an action was initiated by a real user or something fishy is going on.
-------------------------------------------------------------------------------------------------------------
👁️🗨️ Petra Helps You See This
And this is where Petra shines. Petra’s ML models understand user behavior across SharePoint and OneDrive and won’t trip on false positives like Microsoft’s native tools. Instead of just watching for login anomalies, it monitors file access behavior and anomalies, so you get real, actionable insights — not alert fatigue.
-----------------------------------------------------Dean--------------------------------------------------