MDO Hunting - Mass File Download / Exfil After Phishing Click
MDO 23 Mass Download After Phishing
Query
let Clickers =
UrlClickEvents
| where Timestamp > ago(3d)
| where ThreatTypes has_any ("Phish", "Malware")
| summarize ClickTime = min(Timestamp) by AccountUpn
| where isnotempty(AccountUpn);
CloudAppEvents
| where Timestamp > ago(3d)
| where ActionType in ("FileDownloaded", "FileSyncDownloadedFull", "FileAccessed")
| where Application has_any ("SharePoint", "OneDrive")
| extend Upn = tolower(AccountDisplayName)
| join kind=inner (Clickers | extend Upn = tolower(AccountUpn)) on Upn
| where Timestamp between (ClickTime .. ClickTime + 6h)
| summarize Downloads = count(),
Files = dcount(ObjectName),
Apps = make_set(Application, 5),
IPs = make_set(IPAddress, 10),
FirstDownload = min(Timestamp),
LastDownload = max(Timestamp)
by AccountUpn, ClickTime
| where Downloads >= 50
| sort by Downloads descExplanation
This query is designed to detect potential data theft following a phishing attack. It works by identifying users who clicked on malicious links and then experienced a surge in file downloads from SharePoint or OneDrive. Here's a simple breakdown:
-
Identify Clickers: The query first looks at events from the past three days where users clicked on links identified as phishing or malware. It records the earliest click time for each user.
-
Monitor File Downloads: It then checks for file download activities (like "FileDownloaded" or "FileSyncDownloadedFull") from SharePoint or OneDrive within the same three-day period.
-
Correlate Events: The query matches users who clicked on malicious links with those who downloaded files, focusing on downloads that happened within six hours after the click.
-
Analyze Download Activity: For each user, it counts the number of downloads, the distinct files accessed, the applications used, and the IP addresses involved. It also notes the first and last download times.
-
Flag Suspicious Activity: Users with 50 or more downloads in this context are flagged, and the results are sorted by the number of downloads in descending order.
In essence, this query helps identify users who might be involved in data exfiltration after falling victim to a phishing attack, allowing for further investigation and containment.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics