This detection rule identifies instances where a single user in Microsoft 365 downloads more than 50 files within one minute, potentially indicating a mass data exfiltration attempt. This abnormal activity is logged through Microsoft Cloud App Security, aiming to flag suspicious behavior that could be leveraged by adversaries to extract sensitive information from the cloud environment. The rule utilizes a query that filters logs for successful mass download events, allowing security analysts to investigate further and respond appropriately. The rule also provides detailed investigation steps and mitigation measures, emphasizing the importance of thorough analysis of user activity logs, recent login patterns, and potential account compromises. Additionally, it offers guidance on minimizing false positives from legitimate business operations, automated tools, or training sessions that may trigger the detection criteria. The recommendation for response includes isolating the affected user account, conducting an investigation to ascertain the legitimacy of the activity, and implementing stricter access controls. This proactive monitoring is critical for maintaining the security of sensitive data within an organization's cloud ecosystem.