MDO Hunting - Malicious Files in SharePoint / OneDrive
MDO 22 Malicious Files Share Point One Drive
Query
// Validate columns first: FileMaliciousContentInfo | getschema
FileMaliciousContentInfo
| where Timestamp > ago(14d)
| sort by Timestamp descExplanation
This query is designed to identify and analyze malicious files detected in SharePoint, OneDrive, and Teams using Microsoft Defender for Office 365. Here's a simple breakdown:
-
Purpose: The query helps in hunting for malicious files flagged by Defender for Office 365's Safe Attachments feature. It focuses on files stored in collaborative platforms like SharePoint, OneDrive, and Teams.
-
Data Source: It uses data from the
FileMaliciousContentInfotable, which contains information about detected malicious files. -
Columns: Before running the query, it's important to check the schema of
FileMaliciousContentInfoto ensure it includes columns like Timestamp, FileName, SHA256, ThreatType/ThreatName, DetectionMethods, and a location field for SharePoint or OneDrive. -
Filtering: The query filters the data to show only entries from the last 14 days, sorting them by the most recent first.
-
Triage: For further investigation, it suggests checking the SHA256 hash of each file in the
CloudAppEventstable to identify who accessed the file before it was blocked. Additionally, it recommends looking at endpoint tables to see if the file was executed on any devices. -
Security Context: The query is associated with tactics like Lateral Movement and Collection, and techniques such as T1080 (Taint Shared Content) and T1213 (Data from Information Repositories).
Overall, this query is a tool for security analysts to track and investigate malicious files within Microsoft's cloud collaboration services.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics