Microsoft Defender XDR False Positive for SharePoint/OneDrive File Downloads

Question

Multiple Microsoft Defender alerts have been triggered, indicating users downloading a large number of files within a short timeframe (ranging from a couple of hundred to thousands). When reaching out to the users, confirmations have indicated that they either did not download any files or only downloaded 1 or 2 files.

Is it possible for someone to confirm if this might be a false positive alert from Microsoft Defender XDR, and what could be the reasons behind it?

The alert details are as follows:

"SOC has detected an alert user downloading a huge number of files in a short time from SharePoint or OneDrive, involving the user John Smith. The account ******@contoso.com has accessed 2265 files in SharePoint with the client IP 192.xx.xx.xx. The user agent is “OneDriveMpc-Transform_Zip/1.0.” Please let us know if this is a legitimate activity."

"SOC has detected an alert user downloading a huge number of files in a short time from SharePoint or OneDrive, involving the user John Smith. The account ******@contoso.com has accessed 2265 files in SharePoint with the client IP 172.xx.xx.xx. The user agent is 'OneDriveMpc-Transform_Zip/1.0.' Please let us know if this is a legitimate activity."

Answer 1

Hello @brichardi,

It is quite possible that these alerts are false positives, and the activity observed is likely due to automated or background processes triggered by legitimate Microsoft services—particularly related to OneDrive’s "Download as Zip" functionality.

The user agent listed in the alert, “OneDriveMpc-Transform_Zip/1.0,” is a strong indicator that the user initiated a download action involving folders or multiple files, prompting OneDrive or SharePoint to individually access and enumerate each file server-side in preparation for zipping them into a single downloadable archive. This behavior can result in thousands of file access events being recorded, even though the user may have only clicked "Download" once. From the user's perspective, they may have only downloaded one or two items, but if those items were folders or contained multiple files, the system logs each accessed file separately, which can trigger a mass download alert.

Other potential causes include OneDrive sync activity, third-party application access, or misconfigured scripts acting on behalf of the user.

To confirm the legitimacy of the activity, it is recommended to review the Microsoft Purview Audit Logs or use Microsoft Defender for Cloud Apps (MCAS) to examine the detailed actions, timestamps, and source IP addresses. Check whether the access was from a Microsoft IP or user's actual client IP.

If verified as benign, detection rules can be tuned to suppress similar alerts in the future when they originate from known, trusted sources using the identified user agent.

If you have any further questions or query, please do let us know.