M365 Suspicious Sharing Activity

M365 Suspicious Sharing Activity

Detection overview

Triggers

  • An account was seen sharing files and/or folders at a volume that is higher than is normal for both the environment and for the account.

Possible Root Causes

  • Attackers may use SharePoint/OneDrive sharing functions to exfiltrate data and enable ongoing access to data over extended periods of time.
  • Use of sharing enables attackers to maintain access to data after an a compromised account is remediated
  • Users who rarely share files may periodically share more files than most other users in the environment as part of their job function.

Business Impact

  • While some level of sharing may be normal for an environment or user, those users who emerge as sharing unusual amounts of data should be reviewed to validate the sharing is legitimate and does not pose a risk.
  • Sharing of a large volume or breadth of files or folders exposes the organization to an increased risk of data theft or loss.

Steps to Verify

  • Review the data being shared to determine if the information should be exposed to external parties.
  • Review the sharing permissions to ensure the least possible data is exposed. • Validate with the user that the sharing was intended and follows organizational policies on data sharing with external parties.
M365 Suspicious Sharing Activity

Possible root causes

Malicious Detection

Benign Detection

M365 Suspicious Sharing Activity

Example scenarios

M365 Suspicious Sharing Activity

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 Suspicious Sharing Activity

Steps to investigate

M365 Suspicious Sharing Activity

MITRE ATT&CK techniques covered

M365 Suspicious Sharing Activity

Related detections

No items found.

FAQs