Query Details

MDO Hunting - Malicious Files in SharePoint / OneDrive

MDO 22 Malicious Files Share Point One Drive

Query

// Validate columns first:  FileMaliciousContentInfo | getschema
FileMaliciousContentInfo
| where Timestamp > ago(14d)
| sort by Timestamp desc

Explanation

This query is designed to identify and analyze malicious files detected in SharePoint, OneDrive, and Teams using Microsoft Defender for Office 365. Here's a simple breakdown:

  • Purpose: The query helps in hunting for malicious files flagged by Defender for Office 365's Safe Attachments feature. It focuses on files stored in collaborative platforms like SharePoint, OneDrive, and Teams.

  • Data Source: It uses data from the FileMaliciousContentInfo table, which contains information about detected malicious files.

  • Columns: Before running the query, it's important to check the schema of FileMaliciousContentInfo to ensure it includes columns like Timestamp, FileName, SHA256, ThreatType/ThreatName, DetectionMethods, and a location field for SharePoint or OneDrive.

  • Filtering: The query filters the data to show only entries from the last 14 days, sorting them by the most recent first.

  • Triage: For further investigation, it suggests checking the SHA256 hash of each file in the CloudAppEvents table to identify who accessed the file before it was blocked. Additionally, it recommends looking at endpoint tables to see if the file was executed on any devices.

  • Security Context: The query is associated with tactics like Lateral Movement and Collection, and techniques such as T1080 (Taint Shared Content) and T1213 (Data from Information Repositories).

Overall, this query is a tool for security analysts to track and investigate malicious files within Microsoft's cloud collaboration services.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

FileMaliciousContentInfo

Keywords

MaliciousFilesSharePointOneDriveDefenderOfficeSafeAttachmentsTeamsFileMaliciousContentInfoTimestampFileNameSHA256ThreatTypeThreatNameDetectionMethodsSiteLibraryLocationCloudAppEventsFileDownloadedEndpointTablesExecutionMicrosoftThreatProtectionLateralMovementCollection

Operators

|wheresort bydescago

Tactics

LateralMovementCollection

MITRE Techniques

Actions

GitHub