ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
SharePoint • OneDrive • Microsoft Defender XDR • KQL Investigation

The After-Hours Download Nobody Questioned

The login looked normal. The account was valid. MFA had already passed. No high-severity alert appeared.

But late at night, the same user account started downloading files from SharePoint and OneDrive. Not one file. Not two files. Dozens of files.

This Agent Foskett briefing shows how to use Microsoft Defender XDR and KQL to find after-hours file access patterns that may indicate data exposure, insider risk, compromised sessions or unusual user behaviour.

The goal is simple: stop treating “successful access” as automatically safe.

Discuss your environment Back to briefings
After-hours SharePoint download investigation using Microsoft Defender KQL by GEMXIT
After-hours download summary

A practical Microsoft Defender investigation focused on SharePoint and OneDrive activity that looked legitimate until timing, volume and business context changed the story.

Detect after-hours file downloads
Review unusual SharePoint activity
Identify valid accounts behaving abnormally
🚨 Why after-hours downloads matter
Many data access risks do not start with malware. They start with a valid user, a valid session and file access that technically looks allowed.

The investigation question is not only: “Was the user allowed?”
It is: “Does this activity make sense for that user at that time?”

👉 Or explore how GEMXIT approaches Microsoft security operations
Book a data access review →

What we are looking for

This investigation is not looking for a virus. It is looking for behaviour that does not match the business context.
1. Activity outside normal hoursDownloads late at night, early in the morning or outside expected business patterns.
2. Large file access volumeA user downloading far more files than they normally would during a short period.
3. Valid account, unusual behaviourThe account may be real, but the activity may not match the person, role or timing.

Baseline query: after-hours SharePoint and OneDrive downloads

Use this query to find after-hours SharePoint and OneDrive file access activity in Microsoft Defender XDR.
after-hours-sharepoint-downloads.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileDownloaded", "FileAccessed")
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend HourOfDay = datetime_part("hour", Timestamp)
| where HourOfDay < 7 or HourOfDay > 18
| summarize
    FileCount = count(),
    UniqueFiles = dcount(ObjectName),
    SitesAccessed = dcount(SiteUrl),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by AccountDisplayName, AccountUpn, IPAddress, ActionType
| where FileCount > 25
| order by FileCount desc
Used forFinding users downloading or accessing files outside normal working hours.
Why it mattersA single download may be harmless. A burst of downloads late at night deserves review.
Best next stepReview the user, IP address, sites accessed and whether the activity matches their role.
How to read this query
Look for users downloading many files outside normal working hours. Pay close attention to FileCount, UniqueFiles, SitesAccessed, IPAddress and the time window between FirstSeen and LastSeen.
Open KQL guide →

What this activity can indicate

After-hours data access is not automatically malicious. But in the wrong context, it can indicate risk that deserves investigation.
Compromised sessionAn attacker may be using a valid session token after MFA has already been completed.
Insider data accessA legitimate user may be accessing or extracting data outside normal business behaviour.
Automated or scripted activityBulk downloads may indicate scripted access, tooling or automation interacting with SharePoint data.

Query: investigate specific user behaviour

Once you identify a user, zoom in on their activity to understand exactly what files were accessed and when.
user-sharepoint-investigation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
CloudAppEvents
| where Timestamp > ago(7d)
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| where AccountUpn == "user@yourdomain.com"
| project
    Timestamp,
    AccountUpn,
    ActionType,
    ObjectName,
    SiteUrl,
    IPAddress
| order by Timestamp desc
Used forReviewing the exact files accessed, timestamps and SharePoint locations for a specific user.
What to checkLook for unfamiliar file names, unusual SharePoint sites and access outside the user’s normal work scope.
Agent Foskett tipContext matters. A finance user accessing finance files may be normal. The same user accessing engineering or HR files may not be.
How to read this query
Start by reviewing Timestamp and ObjectName. Then ask: should this user access these files, should they access them at this time, and does the volume make sense?
See behaviour analysis →

Query: correlate file activity with sign-ins

After identifying unusual file access, correlate it with Entra ID sign-in logs to understand where and how the session started.
sharepoint-to-signinlogs-correlation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let SuspiciousUsers =
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType == "FileDownloaded"
| summarize FileCount = count() by AccountUpn
| where FileCount > 25;
SigninLogs
| where Timestamp > ago(7d)
| where UserPrincipalName in (SuspiciousUsers)
| project Timestamp, UserPrincipalName, IPAddress, Location, AppDisplayName
| order by Timestamp desc
Used forConnecting file activity to sign-in behaviour, IP addresses and locations.
What to reviewLook for unfamiliar IP addresses, unusual locations or sign-in patterns that don’t match the user.
Why it mattersThis helps determine whether the activity came from the real user or a potentially compromised session.
How to read this query
You are linking behaviour to identity. If file access and sign-in activity do not align, that is where investigation becomes critical.
Review session hijacking →

Query: summary of unusual file access by site

This query helps identify which SharePoint locations had the most after-hours activity.
after-hours-site-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
CloudAppEvents
| where Timestamp > ago(14d)
| where ActionType in ("FileDownloaded", "FileAccessed")
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend HourOfDay = datetime_part("hour", Timestamp)
| where HourOfDay < 7 or HourOfDay > 18
| summarize
    Events = count(),
    Users = dcount(AccountUpn),
    Files = dcount(ObjectName)
    by SiteUrl
| order by Events desc
Used forFinding SharePoint sites with repeated after-hours access.
What to checkFocus on sensitive sites such as finance, HR, legal, projects or customer records.
Next stepMove from the site summary into individual users and specific file activity.

Continue your investigation

This investigation is part of a wider Agent Foskett threat hunting approach across identity, email, cloud activity and user behaviour.
KQL threat hunting guideBuild your full investigation workflow across Defender, Sentinel and Entra ID.

Open guide →
MFA session hijackingUnderstand how attackers reuse sessions after authentication.

View investigation →
When nothing looks wrongLearn how to detect behaviour anomalies without alerts.

Read more →
Need help reviewing data access activity?
Seeing file downloads is easy. Understanding whether they matter is harder. GEMXIT helps organisations investigate Microsoft Defender signals, SharePoint access patterns, user behaviour and real-world risk.
Book a Security Review →
ACSC Logo

GEMXIT PTY LTD   |   GEMXIT UK LTD   |   © GEMXIT 2026

After-hours SharePoint downloads detection with Microsoft Defender KQL

Practical Microsoft Defender XDR KQL guide covering CloudAppEvents, SharePoint Online, OneDrive for Business, after-hours file access, unusual file downloads, suspicious user behaviour and data access investigations.

SharePoint and OneDrive anomaly detection KQL examples

This page targets practical searches for after-hours downloads, Microsoft Defender KQL, CloudAppEvents file access, SharePoint investigation, OneDrive file downloads, data exfiltration behaviour and suspicious cloud app activity.

GEMXIT Microsoft Security Operations

GEMXIT uses Microsoft Defender, Microsoft Sentinel and Entra ID to support practical security operations, KQL threat hunting, cloud activity review and Microsoft 365 security assessments.