The "M365 Suspicious Sharing Activity" detection identifies instances where an account is seen sharing a significant number of files or folders within Microsoft 365 in a way that deviates from typical user behavior. This detection helps signal potential data exfiltration attempts or the establishment of persistent access for long-term data extraction through OneDrive or SharePoint.
Attackers who have gained access to a compromised account may use SharePoint or OneDrive sharing functions to exfiltrate data. This method allows attackers to maintain remote access to shared data even after initial account compromises are detected and remediated.
Users who do not often share data may sometimes share a significant amount for legitimate reasons, such as initiating a new project or collaborating on an extensive file set. This can trigger the detection if it stands out against typical sharing patterns within the organization.
An employee who typically shares minimal files suddenly shares a large set of documents, prompting a review to ensure compliance and legitimacy.
An attacker gains access to an employee's account and uses SharePoint's sharing function to share sensitive folders externally, establishing persistence for future data access.
If this detection indicates a genuine threat, the organization faces significant risks:
Unauthorized sharing can lead to the exposure of sensitive business data, intellectual property, or regulated information, putting the organization at risk of data loss.
Exposing sensitive data may result in non-compliance with data protection regulations, which can lead to legal and financial repercussions.
Attackers leveraging sharing functions can maintain access to critical data even after the primary threat has been remediated.
Evaluate the content and context of the files being shared to determine if the exposure is warranted.
Confirm that the shared permissions align with the principle of least privilege and organizational policies.
Contact the user involved to ensure the sharing activity is intentional and compliant with company standards.
Monitor additional user behavior to detect patterns suggesting broader compromises or data exfiltration efforts.