Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-M365AnonymousShareLinks.
Upgrade to ProDetect Data Exfiltration via Anonymous SharePoint/OneDrive Sharing Links in Google Chronicle
Rather than uploading data to an external cloud storage account (T1537) or a third-party tool like rclone or Mega, an adversary — or a malicious/negligent insider — can exfiltrate data using Microsoft 365's own file-sharing feature: generating an 'Anyone' (anonymous) or externally-shared link for a SharePoint or OneDrive file or folder, then downloading it from an unmanaged device or forwarding the link outside the organization. Because the traffic never leaves Microsoft's infrastructure and no suspicious process or unusual outbound network connection is generated, this technique evades every process- and network-telemetry-based exfiltration detection (EDR process monitoring, DeviceNetworkEvents, proxy logs). Detection instead depends entirely on the Microsoft 365 Unified Audit Log (Office 365 Management Activity API), which records SharePoint/OneDrive sharing operations such as AnonymousLinkCreated, SharingInvitationCreated, AddedToSecureLink, and the corresponding *LinkUsed events when the link is subsequently accessed.
MITRE ATT&CK
- Tactic
- Exfiltration
YARA-L Detection Query
rule m365_anonymous_share_link_exfil {
meta:
author = "df00tech Detection Engineering"
description = "Detects Microsoft 365 SharePoint/OneDrive anonymous sharing link creation and usage indicative of potential data exfiltration"
severity = "HIGH"
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1567.002"
created = "2026-07-14"
events:
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
$e.metadata.product_name = "Office 365"
$e.metadata.product_event_type = /AnonymousLinkCreated|SharingInvitationCreated|AddedToSecureLink|AnonymousLinkUsed/
$user = $e.principal.user.userid
condition:
$e
} Chronicle YARA-L 2.0 rule matching USER_RESOURCE_ACCESS UDM events sourced from the Microsoft 365 Unified Audit Log (via Chronicle's Office 365 default parser), flagging anonymous/external sharing link creation and usage operations for SharePoint and OneDrive. Aggregate matched events by $user over a 24-hour window in a downstream rule/dashboard to identify bulk-sharing outliers.
Data Sources
Required Tables
False Positives & Tuning
- Sales/partnership teams sharing external-facing proposals as routine business process
- Approved automated workflows generating sharing links
Other platforms for THREAT-Exfiltration-M365AnonymousShareLinks
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Anonymous Sharing Link via PnP PowerShell
Expected signal: Office 365 Unified Audit Log: Operation=AnonymousLinkCreated, Workload=SharePoint, RecordType=SharePointSharingOperation, with the UserId and ObjectId of the test file.
- Test 2Bulk Anonymous Link Creation Simulation
Expected signal: 12 AnonymousLinkCreated audit events for the same UserId within a short time window.
References (4)
- https://attack.mitre.org/techniques/T1567/002/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log
- https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Exfiltration-M365AnonymousShareLinks — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (1)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.