M365 Suspicious Download Activity

View all detections
M365 Suspicious Download Activity


  • An account was seen downloading an unusual number of objects compared to the user’s past behavior or the behavior of other O365 users.

Possible Root Causes

  • An attacker may be using SharePoint / OneDrive download functions to exfiltrate data.
  • Users downloading an unusually large number of files as they start new projects, back up data or access multiple files to support their job function.

Business Impact

  • Ability to exfiltrate a significant number of sensitive files from the enterprise is often the last stage of the security compromise.
  • Exfiltration of sensitive business data may lead to loss of control of company secrets and intellectual property.

Steps to Verify

  • Review the details and contents of the files to assess risk, and validate these are authorized downloads.
  • Review additional detections and events by the source user which may indicate their account has been compromised.