This detection rule identifies file downloads and access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may exploit OAuth tokens obtained through device code phishing, employing commands like Invoke-WebRequest or Invoke-RestMethod via the Microsoft Graph API, to exfiltrate sensitive data. The rule specifically targets instances of PowerShell access, both direct and through the PnP PowerShell module, capturing events where files are accessed or downloaded. The inclusion of FileAccessed events helps reveal when adversaries are reading file contents and storing them locally, effectively circumventing standard download methodologies. Since typical SharePoint/OneDrive user access occurs through web browsers or sync clients, PowerShell operations are viewed as suspicious. False positives may arise from legitimate use of PowerShell scripting by IT admins or automation processes, necessitating careful investigation to differentiate malicious activity from regular administrative tasks.