🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
SharePoint Online

How to Track Malware-Infected Files in SharePoint Online

As a key collaboration platform, SharePoint Online requires vigilant security. Thus, Microsoft 365 Defender scans files for threats and prevents accessing or sharing the infected files. However, monitoring malware-infected files is crucial to trace the origin of the threat, stop it from spreading, and take action to restore any affected content. This guide helps you to find malware-infected files in SharePoint Online and enhance security.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Monitor Malware Detected Files in SPO Using Microsoft 365 Defender

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Administrator Most Privilege
  • Sign in to the Microsoft 365 Defender portal.
  • Navigate to the Explorer under the Email & collaboration drop-down.
  • In Explorer, switch to the Content Malware tab. Apply the SharePoint workload filter and click Refresh to monitor malware detected files within SharePoint Online.
Monitor Malware Detected Files in SPO Using Microsoft 365 Defender

This report shows key data such as date, file name, threat, detection technology, last modified user, file owner, and file size.

Find SharePoint Malware Detection Logs Using Microsoft Purview

Microsoft 365 Permission Required
View-Only Audit Log role Least Privilege
Global Administrator Most Privilege
  • Log in to the Microsoft Purview portal and navigate to Solutions»Audit.
  • Enter FileMalwareDetected in the "Activities - operation names" field and select SharePointFileOperation in the Record Types field.
  • Customize Start & End date range and hit Search.
Find SharePoint Malware Detection Logs Using Microsoft Purview

This generates a report of detected malware in SharePoint Online files with details such as IP address, user, record type, activity, and item (file path).

Note: You need to have an Audit Premium license to access audit logs older than the default period of 180 days.

Track SharePoint Malware Detected Files Using PowerShell

Microsoft 365 Permission Required
View-Only Audit Log role Least Privilege
Global Administrator Most Privilege
  • Connect to the Exchange Online PowerShell module using the below cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run below PowerShell cmdlet to audit malware-infected files in SharePoint Online. Replace the "MM-DD-YYYY" in StartDate and EndDate parameters before executing the audit search.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate "<MM-DD-YYYY>" -EndDate "<MM-DD-YYYY>" `
  -RecordType SharePointFileOperation -Operations FileMalwareDetected | 
ForEach-Object {
	$data = $_.AuditData | ConvertFrom-Json 
	[PSCustomObject]@{ 
		CreationDate = $_.CreationDate 
		FileName = $data.SourceFileName 
		Operation = $_.Operations 
		RecordType = $_.RecordType 
		FileOwner = $data.UserId 
		SitePath = $data.SiteUrl 
		VirusInfo = $data.VirusInfo
	}
} | Format-Table -AutoSize

The audit report of malware detected files provides details such as creation date, file name, operation, record type, file owner, site path, and virus info.

malware-report-using-powershell

Note: By default, EndDate is set to 00:00:00, which excludes the current day from audit search results. To include logs up to a specific time, set EndDate with the timestamp (i.e, MM-DD-YYYYZHH:MM:SS GMT) or push EndDate to the next day.

AdminDroid SharePoint Online Reporter

Monitor Malware Files Effectively to Implement Robust Protection in SharePoint Online

AdminDroid’s SharePoint Online auditing tool provides full insights into potential malware threats across your M365 organization. It delivers in-depth reports on malware-infected files, file/folder management, site traffic, external sharing, permission assignments, etc. With these reports, admins can proactively monitor incidents, respond faster, and maintain a secure SharePoint Online environment.

Get Alerts on Malware File Detections in SharePoint Online

Use the default malware detection in SharePoint and OneDrive files alert policy template to get notified of flagged files which helps to quickly investigate, limit access, etc, to prevent further spread.

Audit SharePoint File Activity to Identify Malware File Downloads

Track SPO file downloads report to find any infected file downloads by users before the restriction and initiate a cleanup or incident response.

Find Malware File Deletions in SharePoint Online

Check the deleted malware files report to verify the removed infected files and ensure risks are neutralized in SharePoint Online.

Monitor Files Shared with External Users For Undetected Malware Spreads

Audit the files and folders shared with external users to check if any undetected malware files are shared with external users, and take action to contain any potential exposure.

Track Created Files to Detect Malware Sources in SPO

Monitor the files created by internal users to identify the user responsible for malware infection and take appropriate actions to contain the threat.

Monitor Auto-Saved Email Attachments to SharePoint Online for Malware Detection

Track malware-infected emails in Microsoft 365 to prevent malicious attachments from being auto-saved to SPO and spread across your organization.

In summary, AdminDroid SharePoint Online management tool provides advanced features that enable admins to track malware-infected files in SharePoint Online efficiently. Admins can also monitor file activity, performance metrics, top content activity, storage monitoring, and more to maintain proactive control over malware-infected files.

Explore a full range of reporting options
Download Live Demo

Important Tips

Use the advanced hunting tool in Microsoft Defender to expand malware investigations, analyze infection patterns, identify threat indicators across your network, etc.

Identify safe versions for file restoration after ransomware and other malware threats through intelligent versioning in SharePoint Online.

Limit external sharing at the tenant and site level to reduce the risk of external compromise by accidental spread of undetected malware.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while tracking malware-infected files in SharePoint Online.

Error "Get-SPOMalwareFile : Server relative urls must start with SPWeb.ServerRelativeUrl"

This error occurs when a shared URL is provided as input for the Get-SPOMalwareFile cmdlet instead of a server-related URL.

Fix When you copy the file URL from the desired SharePoint site, the shared URL comes with the sharing path and query parameters.

Configure the shared URL into a server-relative URL by removing the sharing path (:u:/r/) and query params (?csf=6&web=3&e=HSsDE8) and ensure the file URL is as below.

// Direct server-related URL: 
https://<tenant-name>.sharepoint.com/sites/<site-name>/Shared%20Documents/<malware-file-name>

Error The term 'Search-UnifiedAuditLog' is not recognized as a name of a cmdlet, function, script file, or executable program.

This error occurs when the Exchange Online PowerShell module is not installed/imported properly before establishing a connection.

Fix Install and import the ExchangeOnlineManagement module before connecting in PowerShell. 
Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

Error Cannot process argument transformation on parameter 'StartDate'. "String '02-05-2025' was not recognized as a valid DateTime."

This error occurs when executing the Search-UnifiedAuditLog cmdlet with unsupported or unrecognized date formats in Exchange Online PowerShell.

Fix Confirm that the given date format is in "YYYY-MM-DD" or "MM-DD-YYYY" while performing the audit search in PowerShell.

Error "To use this feature, turn on auditing so we can start recording user and admin activity in your organization. When you turn on auditing, activity is recorded in the audit log and is available to view in a report."

This error occurs when auditing is disabled and no admin activity is recorded in your organization.

Fix Enable admin audit logging for your organization using the Microsoft Purview portal.
SharePoint Online
Frequently Asked Questions

Track Malware-infected Files and Respond Swiftly to Insider Threats in SharePoint Online

What happens when a malware-infected file is detected in SharePoint Online?
How to monitor quarantined malware files in Microsoft Defender?
How to restrict download access to malware files in SPO?
How to extract the malware-infected SPO file after restricting the download access?
How to handle false malware detections in SharePoint Online?
How to report a malware activity in SharePoint Online?

1. What happens when a malware-infected file is detected in SharePoint Online?

When Microsoft 365 Defender finds a new file in SharePoint Online, it scans the file for any malicious activity, unknown data, file corruption, etc. If anything suspicious is found, the Defender tags the file as malware and does the following.

Malware detected files in SharePoint Online workspace

  • Microsoft Defender flags the malware-infected files with a red shield icon next to the More options menu for user identification.
  • Once Defender flags the file as malware-infected, these files are quarantined to prevent Microsoft 365 tenant users from viewing, copying, moving, or sharing.
  • Admins can monitor these quarantined malware-infected files in Microsoft 365 Defender and take appropriate action such as deleting the file, marking it as a false positive, submitting it for analysis, and more.
malware-file-identity-in-sharepoint-online

Note: Admins can also manually investigate the incident and submit the evidence to Microsoft instead of relying on the Automated Investigation and Response (AIR) models.

2. How to monitor quarantined malware files in Microsoft Defender?

Malware-infected files are quarantined immediately when flagged by Microsoft 365 Defender. Monitoring quarantined malware SPO files ensures that real threats are handled quickly and false positives are identified. It helps admins to verify threats, restore safe files, and maintain a strong security posture.

To monitor all the quarantined malware files in Microsoft 365 Defender, follow the steps below.

  • Sign in to the Microsoft 365 Defender portal and navigate to the Review section under Email & collaboration.
  • Select the Quarantine option and switch to the Files tab. This page provides the details such as the user, location, attachment file name, file URL, etc.
  • Click on the desired file row to view detailed information about the quarantined file in a flyout pane.
  • The details pane allows admins to take three actions on quarantined malware SPO files. They are,
    • Release file - With this option, you can mark the quarantined malware file as safe and report it to Microsoft for security verification.
    • Download file - This allows you to retrieve a copy of the malware file, which asks to set a password and specify the reason for downloading the file.
    • Delete from quarantine - You can remove the malware-infected file from quarantine permanently, irrespective of the release status using this option.

These actions do not impact the original infected file in SPO and remain blocked until Microsoft considers it as non-malicious from their analysis.

monitor-quarantined-files-using-defender

Note: These quarantined files have an expiration policy of 30 days. Once the file is expired or deleted from quarantine, it is no longer available and cannot be restored for any malware analysis.

3. How to restrict download access to malware files in SPO?

By default, users can still download the infected file from the respective SharePoint site even though the file is blocked from being copied, moved, or shared. The infected files appear in the document library across various device applications, which increases the chance of users meddling with the infected files. So, restricting the download access to infected files is critical and stands on the admin’s priority list.

The download restriction can be enforced only using PowerShell, as there is no setting available in the SharePoint admin center.

Execute the following cmdlets to block the malware file downloads for Microsoft 365 users.

  • Open Windows PowerShell and connect to the SharePoint Online service using the cmdlet below. 
    Connect-SPOService -Url <SharePointAdminCenterURL>

    Replace the URL parameter with your SharePoint admin center URL before executing the cmdlet in the PowerShell session.

  • Execute the ‘Set-SPOTenant’ command with the DisallowInfectedFileDownload param set to true for restricting the malware file downloads. 
    Set-SPOTenant -DisallowInfectedFileDownload $true
  • Use the below Get-SPOTenant cmdlet to check if the download access has been restricted for M365 tenant users. 
    Get-SPOTenant | Format-List DisallowInfectedFileDownload

Note: This download restriction targets all Microsoft 365 users in your organization, including admins and affects within 15-20 minutes.

4. How to extract the malware-infected SPO file after restricting the download access?

After restricting the download access to infected files for your Microsoft 365 organization, the users and admins are fully isolated from downloading the infected files in SharePoint Online. This prevents the users from spreading the infection across the endpoint devices and the secured workspace.

However, admins may need to download the infected files for forensic analysis and they do not need access to Sites that host the infected content. As long as the file is marked as malware, admins can extract these files from SPO using the Get-SPOMalwareFileContent cmdlet in a PowerShell session.

Download quarantined malware SPO file with PowerShell

  • Open Windows PowerShell and connect to the SPO service.
    Connect-SPOService -Url <SharePointAdminCenterURL>
  • Now, retrieve the malware file URL from the Alerts in Defender portal and replace the <FileURL> with it.
  • Once replaced the URL, configure the output path and run the following cmdlet to save the malware content locally.
    $MalwareFileUri = "<FileURL>"
$FileName = $MalwareFileUri.split("/")[-1]
$OutputPath = "<OutputPath>\$FileName"
$TargetFile = [System.IO.File]::Create($OutputPath)
$MalwareFile = Get-SPOMalwareFile -FileUri  $MalwareFileUri
$Stream = Get-SPOMalwareFileContent -MalwareInfectedFile $MalwareFile
$Stream.CopyTo($TargetFile)
$TargetFile.Close()

The Get-SPOMalwareFile cmdlet gets the metadata of the malware-infected file from SPO. The Get-SPOMalwareFileContent cmdlet extracts the content of the malware-infected file using the metadata and saves it in the specified output path.

This Get-SPOMalwareFileContent cmdlet is limited to Global Admins and SharePoint Admins Only. Alternatively, use the Download file action from Quarantine in Microsoft 365 Defender, which allows all privileged roles to extract infected file contents.

5. How to handle false malware detections in SharePoint Online?

Sometimes, the files uploaded by users may be falsely flagged as malware in SPO due to sync issues, upload errors, or corruption. Admins should create an alert policy in Microsoft Defender to review such files.

If a file is deemed safe, you can release it from quarantine and report the file to Microsoft as a false positive for further analysis.

Manage SPO malware alerts and false positives in Microsoft 365 Defender

  • Log in to the Microsoft Defender portal and navigate to Investigation & response»Incident & alerts»Alerts.
  • Click Add filter, choose Alert type, and set it to the malware alert policy you created to view the relevant alerts.
  • Click on the alert name to handle false positives in Microsoft 365 Defender.
  • Select Set Classification, choose False-positive from the Classification drop‑down, and then click Save.
manage-false-positives-using-defender

This action flags the file as not malicious in similar future detections. However, it remains blocked until Microsoft completes its security analysis. If confirmed safe, the malware flag is revoked from SharePoint Online.

6. How to report a malware activity in SharePoint Online?

During routine collaboration in SharePoint Online, admins may come across suspicious file activity such as unusual file names, file behaviours, unknown uploads, etc. Whether it's a known threat or just a suspicious-looking file, it's important to take immediate action. Reporting the activity to Microsoft ensures it gets escalated for analysis and helps to protect the Microsoft 365 tenant workspace from potential spread.

Report SharePoint Online malware file activity in Microsoft Defender

  • Log in to the Microsoft 365 Defender portal.
  • Navigate to Investigation & response»Actions & submissions»Submissions.
  • Click on Submit to Microsoft for analysis and enter the file URL in the URL field.
  • Under Why are you submitting this URL to Microsoft?, Choose It appears suspicious and click Submit to report the file as suspicious in SharePoint Online.
malware-submissions-using-defender

These submissions send the undetected file URL to Microsoft and allow you to set a temporary block if you confirm it as a threat. Similarly, you can submit a request to Microsoft regarding false positive detections and set a temporary unblock if you confirm it as clean.

However, the false positives will only be unblocked permanently after Microsoft completes its malware analysis.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
SharePoint Online
How to Track Malware-Infected Files in SharePoint Online
SharePoint Online Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo