This detection rule identifies potential data exfiltration threats in Office 365 by monitoring for unusual behavior indicating a user has downloaded an excessive number of files within a short timeframe. Such activity can suggest an attacker is preparing to exfiltrate data or an insider is attempting to remove sensitive organizational information. The rule specifically flags instances where more than 50 files are downloaded, which could be further exacerbated if Azure Guest accounts (identified by #EXT# in their UserId) are involved. The detection relies on querying the Office 365 Universal Audit Log for 'filedownloaded' operations, aggregating data to determine unique user activity and associated metadata around the downloads (like Client IP and User Agent). External references provide context related to known attack techniques and detection evasion strategies.