M365 Suspicious Sharing Activity
Detection overview
The "M365 Suspicious Sharing Activity" detection identifies instances where an account is seen sharing a significant number of files or folders within Microsoft 365 in a way that deviates from typical user behavior. This detection helps signal potential data exfiltration attempts or the establishment of persistent access for long-term data extraction through OneDrive or SharePoint.
Triggers
- An account was seen sharing files and/or folders at a volume that is higher than is normal for both the environment and for the account.
Possible Root Causes
- Attackers may use SharePoint/OneDrive sharing functions to exfiltrate data and enable ongoing access to data over extended periods of time.
- Use of sharing enables attackers to maintain access to data after an a compromised account is remediated
- Users who rarely share files may periodically share more files than most other users in the environment as part of their job function.
Business Impact
- While some level of sharing may be normal for an environment or user, those users who emerge as sharing unusual amounts of data should be reviewed to validate the sharing is legitimate and does not pose a risk.
- Sharing of a large volume or breadth of files or folders exposes the organization to an increased risk of data theft or loss.
Steps to Verify
- Review the data being shared to determine if the information should be exposed to external parties.
- Review the sharing permissions to ensure the least possible data is exposed. • Validate with the user that the sharing was intended and follows organizational policies on data sharing with external parties.
M365 Suspicious Sharing Activity
Possible root causes
Malicious Detection
Attackers who have gained access to a compromised account may use SharePoint or OneDrive sharing functions to exfiltrate data. This method allows attackers to maintain remote access to shared data even after initial account compromises are detected and remediated.
Benign Detection
Users who do not often share data may sometimes share a significant amount for legitimate reasons, such as initiating a new project or collaborating on an extensive file set. This can trigger the detection if it stands out against typical sharing patterns within the organization.
M365 Suspicious Sharing Activity
Example scenarios
1. Unusual Employee Behavior
An employee who typically shares minimal files suddenly shares a large set of documents, prompting a review to ensure compliance and legitimacy.
2. Compromised Account Using Sharing for Data Leak
An attacker gains access to an employee's account and uses SharePoint's sharing function to share sensitive folders externally, establishing persistence for future data access.
M365 Suspicious Sharing Activity
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data Theft Risk
Unauthorized sharing can lead to the exposure of sensitive business data, intellectual property, or regulated information, putting the organization at risk of data loss.
Potential Regulatory Violations
Exposing sensitive data may result in non-compliance with data protection regulations, which can lead to legal and financial repercussions.
Persistent Unauthorized Access
Attackers leveraging sharing functions can maintain access to critical data even after the primary threat has been remediated.
M365 Suspicious Sharing Activity
Steps to investigate
Review Shared Data Details
Evaluate the content and context of the files being shared to determine if the exposure is warranted.
Check Sharing Permissions
Confirm that the shared permissions align with the principle of least privilege and organizational policies.
Validate with the User
Contact the user involved to ensure the sharing activity is intentional and compliant with company standards.
Analyze Further Activity
Monitor additional user behavior to detect patterns suggesting broader compromises or data exfiltration efforts.
M365 Suspicious Sharing Activity
MITRE ATT&CK techniques covered
M365 Suspicious Sharing Activity
Related detections
FAQs
What type of sharing triggers this detection?
High-volume or unusual file-sharing activities that deviate from standard patterns for the user or environment.
What should I do if this detection is triggered?
Review the data being shared, contact the user for validation, and ensure that permissions adhere to security policies.
What steps should be taken to mitigate risks?
Implement stricter sharing policies, educate users on secure sharing practices, and apply monitoring tools for anomalies.
Are there automated ways to control excessive sharing?
Yes, Microsoft 365 admin tools can help monitor and control sharing through access policies and alert mechanisms.
Can attackers revoke legitimate sharing after exfiltration?
Yes, attackers may modify or revoke sharing permissions to avoid detection after extracting data.
Could legitimate activities trigger this detection?
Yes, legitimate actions like bulk data sharing for new projects or data migration can appear suspicious if atypical for the user.
Is the account always compromised if this detection occurs?
Not necessarily. It may indicate legitimate usage that requires verification.
Can external parties view shared files?
Depending on the sharing settings, files shared with "anyone with the link" can be accessed externally. This should be checked.
What logs can assist in investigation?
M365 audit logs detailing user activity and sharing events are vital for context.
Are compliance teams involved in such investigations?
Often, compliance or IT security teams will review these incidents to assess impact and ensure regulatory adherence.