Hello @brichardi,
It is quite possible that these alerts are false positives, and the activity observed is likely due to automated or background processes triggered by legitimate Microsoft services—particularly related to OneDrive’s "Download as Zip" functionality.
The user agent listed in the alert, “OneDriveMpc-Transform_Zip/1.0,” is a strong indicator that the user initiated a download action involving folders or multiple files, prompting OneDrive or SharePoint to individually access and enumerate each file server-side in preparation for zipping them into a single downloadable archive. This behavior can result in thousands of file access events being recorded, even though the user may have only clicked "Download" once. From the user's perspective, they may have only downloaded one or two items, but if those items were folders or contained multiple files, the system logs each accessed file separately, which can trigger a mass download alert.
Other potential causes include OneDrive sync activity, third-party application access, or misconfigured scripts acting on behalf of the user.
To confirm the legitimacy of the activity, it is recommended to review the Microsoft Purview Audit Logs or use Microsoft Defender for Cloud Apps (MCAS) to examine the detailed actions, timestamps, and source IP addresses. Check whether the access was from a Microsoft IP or user's actual client IP.
If verified as benign, detection rules can be tuned to suppress similar alerts in the future when they originate from known, trusted sources using the identified user agent.
If you have any further questions or query, please do let us know.