M365 Suspicious Download Activity

M365 Suspicious Download Activity

Detection overview

Triggers

  • An account was seen downloading an unusual number of objects compared to the user’s past behavior or the behavior of other O365 users.

Possible Root Causes

  • An attacker may be using SharePoint / OneDrive download functions to exfiltrate data.
  • Users downloading an unusually large number of files as they start new projects, back up data or access multiple files to support their job function.

Business Impact

  • Ability to exfiltrate a significant number of sensitive files from the enterprise is often the last stage of the security compromise.
  • Exfiltration of sensitive business data may lead to loss of control of company secrets and intellectual property.

Steps to Verify

  • Review the details and contents of the files to assess risk, and validate these are authorized downloads.
  • Review additional detections and events by the source user which may indicate their account has been compromised.
M365 Suspicious Download Activity

Possible root causes

Malicious Detection

Benign Detection

M365 Suspicious Download Activity

Example scenarios

M365 Suspicious Download Activity

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 Suspicious Download Activity

Steps to investigate

M365 Suspicious Download Activity

MITRE ATT&CK techniques covered

M365 Suspicious Download Activity

Related detections

No items found.

FAQs