As OP uses MetaMask which is a browser based wallet: which browser extensions do you have installed? If you don't pay attention to what extensive rights some extensions demand and if you install shady ones, you're quick in trouble.
I consider a browser based wallet like MetaMask already as a very bad idea. Browsers are very complex software beasts that constantly interact with the www, that is mostly external data thrown at your try-to-be-everything-software-renderer which has gazillions of bugs, constantly.
Any exploit in your browser puts your browser wallet at risk. What could possibly go wrong here? Nevermind...
<snip>
That is indeed quite uncommon behavior of a malicious actor who has enough control to send coins from OP's wallet.