Investigators can leverage Microsoft Purview eDiscovery to proactively search for indicators of insider threat activity across Microsoft 365 workloads, including Exchange, SharePoint, OneDrive, and Teams. eDiscovery enables targeted, cross-tenant search of user communications and file activity, making it a powerful internal investigation and monitoring tool when used within approved workflows.

eDiscovery should be used to:

Identify data staging or policy violations involving sensitive or regulated information.
Investigate keywords, file types, or behavioral patterns linked to insider misuse.
Surface high-risk communication themes (e.g., resignation, exfil intent, coercion signals).
Correlate abnormal file sharing, email forwarding, or messaging activity across multiple users or services.

Detection Methods (via eDiscovery):

Keyword or Pattern-Based Search: Use search queries within eDiscovery to identify sensitive terms or behaviors, such as:

resign, job offer, backup, personal email, send to home, leaving soon, remotely wipe, compressed, file extensions commonly used for staging or exfiltration: .7z, .rar, .pst, .tar.gz, .gpg, or repeated references to external tools (e.g., “WeTransfer”, “Dropbox”, “Telegram”).

Targeted User Investigation: Investigate specific users flagged by UEBA, DLP, or HR triggers. Use Purview to search for mailbox forwarding rules or unusual email recipients, identify OneDrive or SharePoint activity involving external users or personal accounts, and retrieve deleted messages or files still available in preservation hold.
Communication Timeline Reconstruction: Use eDiscovery to build a timeline of internal communications and file interactions around suspicious dates—e.g., just before resignation, travel, or privileged access escalations.
Multi-Source Correlation: Cross-reference results from Exchange, Teams, OneDrive, and SharePoint in a single case. Link content types and time windows to identify coordinated behavior or quiet staging across services.

Indicators (via eDiscovery Results):

Discovery of sensitive files emailed to non-corporate domains.
Large compressed archives sent or shared shortly before account deactivation.
Coordinated message themes among multiple insiders (e.g., disgruntlement, collusion).
Use of keywords suggesting obfuscation, retaliation, or planned exit.
Evidence of Teams conversations involving encouragement or normalization of data misuse.