- An account was seen downloading an unusual number of objects compared to the user’s past behavior or the behavior of other O365 users.
- The Threat score is driven by a combination of factors which include the quantity of objects downloaded, the relative rarity associated with downloading those objects, and rarity of downloading from the source sites for those objects.
- The Certainty score is driven by a combination of factors which include a historic baseline of that user’s download volumes, a comparison of that user relative to other users, and dimensions related to the locations where these objects have been downloaded from.
Possible Root Causes
- An attacker may be using SharePoint / OneDrive download functions to exfiltrate data.
- Users downloading an unusually large number of files as they start new projects, back up data or access multiple files to support their job function.
- Ability to exfiltrate a significant number of sensitive files from the enterprise is often the last stage of the security compromise.
- Exfiltration of sensitive business data may lead to loss of control of company secrets and intellectual property.
Steps to Verify
- Review the details and contents of the files to assess risk, and validate these are authorized downloads.
- Review additional detections and events by the source user which may indicate their account has been compromised.