M365 Exfiltration Before Termination

M365 Exfiltration Before Termination

Detection overview

Triggers

  • The risk of insider threat has been observed by an account downloading or exfiltrating files prior to that account being deleted or disabled.

Possible Root Causes

  • A user with foreknowledge of separation or reassignment has intentionally acquired or stolen organizational data prior to departure with the intent to retain access to information or data for which they will no longer be authorized access.
  • In some cases, suspicious data acquisition by a user prior to a separation or reassignment event may be part of an authorized activity.

Business Impact

  • Insider threat places an organization at risk of loss of sensitive information such as intellectual property, financial data, or other data associated with legal and compliance protections.
  • The successful exfiltration of data by an insider may lead to regulatory fines or penalties, loss of competitive advantages, or other outcomes detrimental to business and organizational success.

Steps to Verify

  • Investigate the reason this account was disabled or deleted, and if maintaining access to these files continues to be authorized.
  • Investigate if the files associated with this detection include sensitive information.
M365 Exfiltration Before Termination

Possible root causes

Malicious Detection

Benign Detection

M365 Exfiltration Before Termination

Example scenarios

M365 Exfiltration Before Termination

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 Exfiltration Before Termination

Steps to investigate

M365 Exfiltration Before Termination

MITRE ATT&CK techniques covered

M365 Exfiltration Before Termination

Related detections

No items found.

FAQs