M365 Suspicious Sharing Activity

Triggers

• An account was seen sharing files and/or folders at a volume that is higher than is normal for both the environment and for the account.

Possible Root Causes

• Attackers may use SharePoint/OneDrive sharing functions to exfiltrate data and enable ongoing access to data over extended periods of time.
• Use of sharing enables attackers to maintain access to data after an a compromised account is remediated
• Users who rarely share files may periodically share more files than most other users in the environment as part of their job function.

Business Impact

• While some level of sharing may be normal for an environment or user, those users who emerge as sharing unusual amounts of data should be reviewed to validate the sharing is legitimate and does not pose a risk.
• Sharing of a large volume or breadth of files or folders exposes the organization to an increased risk of data theft or loss.

Steps to Verify

• Review the data being shared to determine if the information should be exposed to external parties.
• Review the sharing permissions to ensure the least possible data is exposed. • Validate with the user that the sharing was intended and follows organizational policies on data sharing with external parties.