M365 Exfiltration Before Termination

View all detections
M365 Exfiltration Before Termination


  • The risk of insider threat has been observed by an account downloading or exfiltrating files prior to that account being deleted or disabled.

Possible Root Causes

  • A user with foreknowledge of separation or reassignment has intentionally acquired or stolen organizational data prior to departure with the intent to retain access to information or data for which they will no longer be authorized access.
  • In some cases, suspicious data acquisition by a user prior to a separation or reassignment event may be part of an authorized activity.

Business Impact

  • Insider threat places an organization at risk of loss of sensitive information such as intellectual property, financial data, or other data associated with legal and compliance protections.
  • The successful exfiltration of data by an insider may lead to regulatory fines or penalties, loss of competitive advantages, or other outcomes detrimental to business and organizational success.

Steps to Verify

  • Investigate the reason this account was disabled or deleted, and if maintaining access to these files continues to be authorized.
  • Investigate if the files associated with this detection include sensitive information.