M365 eDiscovery Exfil

M365 eDiscovery Exfil

Detection overview

Triggers

  • A user is previewing or downloading the results of an eDiscovery activity.

Possible Root Causes

  • An adversary has gained access to eDiscovery capabilities and is using that access to collect or exfiltrate data.
  • One of a small set of users authorized to perform eDiscovery has been observed doing so.

Business Impact

  • eDiscovery capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.
  • eDiscovery capabilities may include data traditionally inaccessible through other means but preserved as part of a litigation hold.

Steps to Verify

  • eDiscovery activities from unauthorized users should be immediately investigated.
  • Users authorized for eDiscovery should be explicitly triaged in this system to avoid future detections.
M365 eDiscovery Exfil

Possible root causes

Malicious Detection

Benign Detection

M365 eDiscovery Exfil

Example scenarios

M365 eDiscovery Exfil

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 eDiscovery Exfil

Steps to investigate

M365 eDiscovery Exfil

MITRE ATT&CK techniques covered

M365 eDiscovery Exfil

Related detections

No items found.

FAQs