O365 Suspicious Sharing Activity

View all detections
O365 Suspicious Sharing Activity

Triggers

  • An account was seen sharing files and/or folders at a volume that is higher than is normal for both the environment and for the account.
  • Threat is driven by the number of objects shared.
  • When mosts users do not share normally the, certainty is drive by how uncommon sharing is for all users. When sharing is normally observed, certainty is driven by a combination of the amount of deviation from the user’s normal shared object volume and the proportion of objects shared from directories other than the user’s personal directory.

Possible Root Causes

  • Attackers may use SharePoint/OneDrive sharing functions to exfiltrate data and enable ongoing access to data over extended periods of time.
  • Use of sharing enables attackers to maintain access to data after an a compromised account is remediated
  • Users who rarely share files may periodically share more files than most other users in the environment as part of their job function.

Business Impact

  • While some level of sharing may be normal for an environment or user, those users who emerge as sharing unusual amounts of data should be reviewed to validate the sharing is legitimate and does not pose a risk.
  • Sharing of a large volume or breadth of files or folders exposes the organization to an increased risk of data theft or loss.

Steps to Verify

  • Review the data being shared to determine if the information should be exposed to external parties.
  • Review the sharing permissions to ensure the least possible data is exposed. • Validate with the user that the sharing was intended and follows organizational policies on data sharing with external parties.