O365 Suspicious Download Activity

View all detections
O365 Suspicious Download Activity


  • An account was seen downloading an unusual number of objects compared to the user’s past behavior or the behavior of other O365 users.
  • The Threat score is driven by a combination of factors which include the quantity of objects downloaded, the relative rarity associated with downloading those objects, and rarity of downloading from the source sites for those objects.
  • The Certainty score is driven by a combination of factors which include a historic baseline of that user’s download volumes, a comparison of that user relative to other users, and dimensions related to the locations where these objects have been downloaded from.

Possible Root Causes

  • An attacker may be using SharePoint / OneDrive download functions to exfiltrate data.
  • Users downloading an unusually large number of files as they start new projects, back up data or access multiple files to support their job function.

Business Impact

  • Ability to exfiltrate a significant number of sensitive files from the enterprise is often the last stage of the security compromise.
  • Exfiltration of sensitive business data may lead to loss of control of company secrets and intellectual property.

Steps to Verify

  • Review the details and contents of the files to assess risk, and validate these are authorized downloads.
  • Review additional detections and events by the source user which may indicate their account has been compromised.