Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Large Number of External File Shares [RULE-1027]

This rule detects when a user shares a large number of files with external users in a short time period. This behavior can indicate that a compromised account is being used to distribute malicious content, exfiltrate data, or spread phishing links to external recipients via SharePoint Online or OneDrive for Business.

Rationale

Sharing a large number of files with external users in a short period is unusual behavior for most users and is a common indicator of account compromise. This technique is mapped to MITRE ATT&CK as T1567 (Exfiltration Over Web Service) and T1566.002 (Phishing: Spearphishing Link).

After compromising a user account, attackers often use SharePoint Online or OneDrive for Business to distribute malicious files or phishing links to a large number of external recipients. Because these sharing invitations originate from a legitimate organizational account, recipients are more likely to trust and open the shared content. This makes it an effective method for spreading malware or conducting further phishing campaigns.

Additionally, bulk external sharing can be used for data exfiltration. An attacker may share sensitive documents, confidential files, or proprietary data with external accounts they control, effectively stealing organizational data through a legitimate file sharing mechanism that may bypass traditional data loss prevention controls. The volume and speed of the sharing activity distinguish malicious behavior from normal business collaboration, where external sharing typically occurs in smaller, more deliberate batches.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify with the user whether the large number of external shares was intentional. Check which files were shared, with whom they were shared, and whether this is consistent with the user's normal work activities.

    • If no: The sharing activity was not intentional and the account may be compromised:

      1. Immediately revoke the external sharing permissions on the affected files and folders.
      2. Reset the password of the affected account and revoke all active sessions via Microsoft Entra ID.
      3. Review the shared files to determine if any sensitive or confidential data was exposed. Check sign-in logs for suspicious login activity on the account.
      4. Notify external recipients that the shared content may be malicious and should not be opened. Consider engaging Attic for a full incident response investigation.

    • If yes: The external sharing was intentional and related to legitimate business activities:

      1. Verify that the volume of external sharing is permitted under your organization's data sharing and security policies.
      2. If acceptable: document the business justification and close the incident.

More information