Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-M365AnonymousShareLinks.

Upgrade to Pro
THREAT-Exfiltration-M365AnonymousShareLinks CrowdStrike LogScale · LogScale

Detect Data Exfiltration via Anonymous SharePoint/OneDrive Sharing Links in CrowdStrike LogScale

Rather than uploading data to an external cloud storage account (T1537) or a third-party tool like rclone or Mega, an adversary — or a malicious/negligent insider — can exfiltrate data using Microsoft 365's own file-sharing feature: generating an 'Anyone' (anonymous) or externally-shared link for a SharePoint or OneDrive file or folder, then downloading it from an unmanaged device or forwarding the link outside the organization. Because the traffic never leaves Microsoft's infrastructure and no suspicious process or unusual outbound network connection is generated, this technique evades every process- and network-telemetry-based exfiltration detection (EDR process monitoring, DeviceNetworkEvents, proxy logs). Detection instead depends entirely on the Microsoft 365 Unified Audit Log (Office 365 Management Activity API), which records SharePoint/OneDrive sharing operations such as AnonymousLinkCreated, SharingInvitationCreated, AddedToSecureLink, and the corresponding *LinkUsed events when the link is subsequently accessed.

MITRE ATT&CK

Tactic
Exfiltration

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql
// CrowdStrike LogScale query over an M365 Unified Audit Log repository ingested via the
// Falcon Data Replicator / generic HTTP Event Collector (Falcon endpoint telemetry does not
// natively capture SaaS audit logs; this assumes the O365 Management Activity API feed has
// been forwarded into LogScale as its own repository).
Workload="SharePoint"
| Operation=/AnonymousLinkCreated|SharingInvitationCreated|AddedToSecureLink|AnonymousLinkUsed/
| groupBy([UserId, ClientIP, Operation], function=[count(as=EventCount), collect(ObjectId, limit=20)])
| sort(EventCount, order=desc)
high severity medium confidence

CrowdStrike LogScale query over an ingested Microsoft 365 Management Activity API log repository (not Falcon endpoint telemetry, since SharePoint/OneDrive sharing activity is a SaaS-side event with no corresponding host process or network signal). Aggregates anonymous/external sharing link creation and usage events by user and client IP to surface bulk-sharing behavior.

Data Sources

CrowdStrike LogScale (generic log ingestion repository)Microsoft 365 Management Activity API (forwarded via Data Replicator/HEC)

Required Tables

M365 audit log repository (non-endpoint)

False Positives & Tuning

  • Marketing/partnership teams routinely sharing external-facing collateral via anonymous links
  • Approved automated business workflows generating sharing links

Other platforms for THREAT-Exfiltration-M365AnonymousShareLinks


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Anonymous Sharing Link via PnP PowerShell

    Expected signal: Office 365 Unified Audit Log: Operation=AnonymousLinkCreated, Workload=SharePoint, RecordType=SharePointSharingOperation, with the UserId and ObjectId of the test file.

  2. Test 2Bulk Anonymous Link Creation Simulation

    Expected signal: 12 AnonymousLinkCreated audit events for the same UserId within a short time window.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfiltration-M365AnonymousShareLinks — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.