This rule aims to identify excessive file downloads from Microsoft OneDrive using OAuth authentication, a method that can be exploited by adversaries to impersonate users and exfiltrate data. By monitoring the number of files downloaded within a specific timeframe, usually 14 days, the rule helps detect unusual activity that could indicate a phishing campaign or other unauthorized access attempts. Key parameters include the use of OAuth for authentication and successful download actions tagged within the OneDrive provider. Investigative steps include examining user download patterns, correlating logs with sign-in records, and assessing the legitimacy of the authentication methods used. Depending on the findings, actions may involve revoking tokens, modifying application permissions, and educating users on the risks associated with OAuth phishing.