Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-M365AnonymousShareLinks.

Upgrade to Pro
THREAT-Exfiltration-M365AnonymousShareLinks

Data Exfiltration via Anonymous SharePoint/OneDrive Sharing Links

Exfiltration Last updated:

Rather than uploading data to an external cloud storage account (T1537) or a third-party tool like rclone or Mega, an adversary — or a malicious/negligent insider — can exfiltrate data using Microsoft 365's own file-sharing feature: generating an 'Anyone' (anonymous) or externally-shared link for a SharePoint or OneDrive file or folder, then downloading it from an unmanaged device or forwarding the link outside the organization. Because the traffic never leaves Microsoft's infrastructure and no suspicious process or unusual outbound network connection is generated, this technique evades every process- and network-telemetry-based exfiltration detection (EDR process monitoring, DeviceNetworkEvents, proxy logs). Detection instead depends entirely on the Microsoft 365 Unified Audit Log (Office 365 Management Activity API), which records SharePoint/OneDrive sharing operations such as AnonymousLinkCreated, SharingInvitationCreated, AddedToSecureLink, and the corresponding *LinkUsed events when the link is subsequently accessed.

What is THREAT-Exfiltration-M365AnonymousShareLinks Data Exfiltration via Anonymous SharePoint/OneDrive Sharing Links?

Data Exfiltration via Anonymous SharePoint/OneDrive Sharing Links (THREAT-Exfiltration-M365AnonymousShareLinks) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Data Exfiltration via Anonymous SharePoint/OneDrive Sharing Links, covering the data sources and telemetry it touches: Office 365 Management Activity API (Unified Audit Log), Microsoft Sentinel OfficeActivity table, SharePoint Online / OneDrive for Business audit events. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
// THREAT: Anonymous Sharing Link Exfiltration (Microsoft 365 Unified Audit Log)
// Requires the Office 365 data connector (OfficeActivity table) in Microsoft Sentinel
let SensitiveExt = dynamic([".xlsx", ".docx", ".pdf", ".csv", ".pst", ".zip", ".sql", ".pptx"]);
// Signal 1: burst of anonymous/external link creation by a single user
let LinkCreationBurst = OfficeActivity
| where TimeGenerated > ago(24h)
| where Workload =~ "SharePoint"
| where Operation in ("AnonymousLinkCreated", "SharingInvitationCreated", "AddedToSecureLink")
| summarize LinkCount=count(), Files=make_set(OfficeObjectId, 20), FirstLink=min(TimeGenerated), LastLink=max(TimeGenerated)
    by UserId, ClientIP
| where LinkCount >= 10
| extend Signal = "BulkAnonymousLinkCreation";
// Signal 2: anonymous link created for a sensitive file type
let SensitiveFileShare = OfficeActivity
| where TimeGenerated > ago(24h)
| where Workload =~ "SharePoint"
| where Operation =~ "AnonymousLinkCreated"
| where OfficeObjectId has_any (SensitiveExt)
| project TimeGenerated, UserId, ClientIP, OfficeObjectId
| extend Signal = "AnonymousLinkOnSensitiveFile";
// Signal 3: anonymous link accessed/used from an external or unrecognized IP shortly after creation
let LinkUsedExternally = OfficeActivity
| where TimeGenerated > ago(24h)
| where Workload =~ "SharePoint"
| where Operation =~ "AnonymousLinkUsed"
| project TimeGenerated, UserId, ClientIP, OfficeObjectId
| extend Signal = "AnonymousLinkAccessed";
LinkCreationBurst
| project TimeGenerated=LastLink, UserId, ClientIP, LinkCount, Files, Signal
| union (SensitiveFileShare | project TimeGenerated, UserId, ClientIP, LinkCount=1, Files=pack_array(OfficeObjectId), Signal)
| union (LinkUsedExternally | project TimeGenerated, UserId, ClientIP, LinkCount=1, Files=pack_array(OfficeObjectId), Signal)
| sort by TimeGenerated desc

Detects potential data exfiltration via Microsoft 365 anonymous sharing links using the OfficeActivity table populated by the Office 365 Management Activity API. Signal 1 identifies a single user creating 10 or more anonymous/external sharing links within 24 hours (bulk sharing is atypical for normal collaboration). Signal 2 flags any anonymous link created directly on a sensitive file type (spreadsheets, PST exports, SQL dumps, archives). Signal 3 flags subsequent use of an anonymous link, which confirms the shared content was actually retrieved. All three signals are audit-log based — there is no corresponding process or network telemetry because the traffic stays within Microsoft's SaaS boundary.

high severity medium confidence

Data Sources

Office 365 Management Activity API (Unified Audit Log) Microsoft Sentinel OfficeActivity table SharePoint Online / OneDrive for Business audit events

Required Tables

OfficeActivity

False Positives

  • External collaboration teams (sales, partnerships, legal) that routinely share proposals or contracts via anonymous links as part of normal business process
  • Marketing or communications staff distributing public-facing assets (brochures, press kits) via SharePoint anonymous links
  • Automated workflows (Power Automate flows) that generate sharing links as part of an approved business process

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration via Anonymous SharePoint/OneDrive Sharing Links (THREAT-Exfiltration-M365AnonymousShareLinks) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Anonymous Sharing Link via PnP PowerShell

    Expected signal: Office 365 Unified Audit Log: Operation=AnonymousLinkCreated, Workload=SharePoint, RecordType=SharePointSharingOperation, with the UserId and ObjectId of the test file.

  2. Test 2Bulk Anonymous Link Creation Simulation

    Expected signal: 12 AnonymousLinkCreated audit events for the same UserId within a short time window.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfiltration-M365AnonymousShareLinks — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.