Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections

M365 eDiscovery Exfil

M365 eDiscovery Exfil
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Triggers

  • A user is previewing or downloading the results of an eDiscovery activity.

Possible Root Causes

  • An adversary has gained access to eDiscovery capabilities and is using that access to collect or exfiltrate data.
  • One of a small set of users authorized to perform eDiscovery has been observed doing so.

Business Impact

  • eDiscovery capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.
  • eDiscovery capabilities may include data traditionally inaccessible through other means but preserved as part of a litigation hold.

Steps to Verify

  • eDiscovery activities from unauthorized users should be immediately investigated.
  • Users authorized for eDiscovery should be explicitly triaged in this system to avoid future detections.
M365 eDiscovery Exfil

Possible root causes

Malicious Detection

Benign Detection

M365 eDiscovery Exfil

Example scenarios

M365 eDiscovery Exfil

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 eDiscovery Exfil

Steps to investigate

M365 eDiscovery Exfil

MITRE ATT&CK techniques covered

Exfiltration Over Alternative Protocol

T1048
M365 eDiscovery Exfil

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs