Detections
- ID: DT142
- Created: 19th August 2025
- Updated: 19th August 2025
- Contributor: The ITM Team
Microsoft Defender, Shared File Externally
This detection monitors when files from SharePoint or OneDrive are shared with external users. By alerting to these sharing events in Microsoft Defender, investigators gain early visibility into potential data exfiltration and can trace the granting account, the recipient of the access, and the files that have been shared.
In the Microsoft Defender portal at https://security.microsoft.com, navigate to Email & collaboration > Policies & rules > Alert policy. To go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.
Click |+ New Alert Policy" in the top-left corner. Assign a clear name to the alert policy and select an appropriate Severity and Category. On the next page, under “Activity is”, search for and select “Shared file externally”. Configure the remaining settings as required. If the intention is only to alert on these events generated by specific accounts, this can be achieved by adding a condition with either User: User is or User: User tags are. If the intention is only to alert on specific files, this can be achieved by adding a condition with either File: File name is or File: Site collection URL is or File: File extension is.
When reviewing an alert generated by this rule, select an activity row in the Activity list table to display related information. A panel will open on the right-hand side of the alert page, under “Activity details”, showing the Item (the URL of the file that has been shared externally), User (the user account that set the external sharing), IP address, and Time of the event.
More verbose information is provided under the “More information” section. Additional details are provided of value, including TargetUserOrGroupName the external target that is receiving access. This value is recorded in the following format: “<TargetMailbox>_<TargetDomain>.<tld>#ext#@<CompanyTenantName>.onmicrosoft.com”. In this format, the expected “@” character between the target mailbox and domain is replaced with a “_”.
Sections
| ID | Name | Description |
|---|---|---|
| IF011.003 | Providing Unauthorized Access to a Collaboration Platform | The subject grants unauthorized access to organizational collaboration platforms, such as Slack, Microsoft Teams, Confluence, or equivalent tools, thereby exposing them to internal information, workflows, or discussions outside their clearance or role-based access. This behavior may occur by inviting a guest account, elevating access permissions for an existing contact, or bypassing formal onboarding channels to enable out-of-policy access.
Such unauthorized collaboration introduces a high-risk vector for information leakage, intellectual property exposure, and unmonitored data sharing. In many cases, these platforms contain embedded files, chat histories, integration logs, and operational metadata that extend beyond what the subject may intend to share. Even when performed under the guise of productivity or convenience, this behavior constitutes a clear infringement of acceptable use policies and undermines formal access governance structures.
The action is often difficult to detect retrospectively if audit logging for guest access is not enabled or if collaboration platforms lack integration with centralized identity providers. Investigators should consider whether the access was temporary or persistent, and whether the subject demonstrated awareness of the policy violation (e.g., through attempts to obscure or justify the behavior). |
| IF001.007 | Exfiltration via Collaboration Platform | A subject uses a cloud collaboration platform, such as Slack, Google Docs, Atlassian Confluence, or Microsoft 365 Online, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):
|