Any documentation on how files are "touched" in O365? (CAS Impossible travel alerts)

Christo De Lange 

That's exactly why the impossible travel alert is getting triggered. You can adjust the threshold on this policy based on how sensitive you want it to be. 

"This detection identifies two user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials."

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy