Query Details

MDO Hunting - Mass File Download / Exfil After Phishing Click

MDO 23 Mass Download After Phishing

Query

let Clickers =
    UrlClickEvents
    | where Timestamp > ago(3d)
    | where ThreatTypes has_any ("Phish", "Malware")
    | summarize ClickTime = min(Timestamp) by AccountUpn
    | where isnotempty(AccountUpn);
CloudAppEvents
| where Timestamp > ago(3d)
| where ActionType in ("FileDownloaded", "FileSyncDownloadedFull", "FileAccessed")
| where Application has_any ("SharePoint", "OneDrive")
| extend Upn = tolower(AccountDisplayName)
| join kind=inner (Clickers | extend Upn = tolower(AccountUpn)) on Upn
| where Timestamp between (ClickTime .. ClickTime + 6h)
| summarize Downloads = count(),
            Files = dcount(ObjectName),
            Apps = make_set(Application, 5),
            IPs = make_set(IPAddress, 10),
            FirstDownload = min(Timestamp),
            LastDownload = max(Timestamp)
    by AccountUpn, ClickTime
| where Downloads >= 50
| sort by Downloads desc

Explanation

This query is designed to detect potential data theft following a phishing attack. It works by identifying users who clicked on malicious links and then experienced a surge in file downloads from SharePoint or OneDrive. Here's a simple breakdown:

  1. Identify Clickers: The query first looks at events from the past three days where users clicked on links identified as phishing or malware. It records the earliest click time for each user.

  2. Monitor File Downloads: It then checks for file download activities (like "FileDownloaded" or "FileSyncDownloadedFull") from SharePoint or OneDrive within the same three-day period.

  3. Correlate Events: The query matches users who clicked on malicious links with those who downloaded files, focusing on downloads that happened within six hours after the click.

  4. Analyze Download Activity: For each user, it counts the number of downloads, the distinct files accessed, the applications used, and the IP addresses involved. It also notes the first and last download times.

  5. Flag Suspicious Activity: Users with 50 or more downloads in this context are flagged, and the results are sorted by the number of downloads in descending order.

In essence, this query helps identify users who might be involved in data exfiltration after falling victim to a phishing attack, allowing for further investigation and containment.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

UrlClickEventsCloudAppEvents

Keywords

UrlClickEventsCloudAppEventsSharePointOneDriveFileDownloadedFileSyncDownloadedFullFileAccessedAccountUpnAccountDisplayNameIPAddressObjectNameTimestampApplication

Operators

let|where>ago()has_anysummarizemin()byisnotempty()inextendtolower()joinkind=inneronbetween..count()dcount()make_set()510max()>=sortdesc

Tactics

CollectionExfiltration

MITRE Techniques

Actions

GitHub