In both cases, these actions will create “FileDownloaded” entries in the SharePoint audit log so any security solution that monitors those can potentially detect suspicious behavior, like an unusually large number of files being downloaded over a short time, or from a new device or from a new location.

“As part of our research, we aimed to determine which user actions generated what type of events, either security alerts or file events (e.g., open, closed, downloaded, etc.),” the Varonis researchers said. “As we developed specific attack scripts, we identified techniques that could be used to download files without triggering standard events and circumvent audit logs.”

One of those techniques is using an option in SharePoint for files that’s called “Open in Desktop App” which downloads the file to the local machine and opens it in a desktop application. This is done through a shell command that opens the file by accessing a direct link to it and launches the application associated with the file extension. If the user would copy that link and open it directly in their browser they would get the option to download it.

However, it turns out that for links generated and accessed in this manner, the event recorded in the SharePoint audit log is “FileAccessed” and not file “FileDownloaded”.

The researchers managed to automate this by writing a PowerShell script that uses the SharePoint client object model (CSOM) to fetch files without leaving download footprints on the server.

“​​However, unless a user downloads large volumes of files quickly, these methods will likely create only conspicuous amounts of access logs, allowing such activities to go relatively unnoticed by detection rules focused on download logs,” the researchers said.