M365 Suspicious Download Activity
Detection overview
Triggers
- An account was seen downloading an unusual number of objects compared to the user’s past behavior or the behavior of other O365 users.
Possible Root Causes
- An attacker may be using SharePoint / OneDrive download functions to exfiltrate data.
- Users downloading an unusually large number of files as they start new projects, back up data or access multiple files to support their job function.
Business Impact
- Ability to exfiltrate a significant number of sensitive files from the enterprise is often the last stage of the security compromise.
- Exfiltration of sensitive business data may lead to loss of control of company secrets and intellectual property.
Steps to Verify
- Review the details and contents of the files to assess risk, and validate these are authorized downloads.
- Review additional detections and events by the source user which may indicate their account has been compromised.
M365 Suspicious Download Activity
Possible root causes
Malicious Detection
Benign Detection
M365 Suspicious Download Activity
Example scenarios
M365 Suspicious Download Activity
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Suspicious Download Activity
Steps to investigate
M365 Suspicious Download Activity
Related detections
No items found.