Command Zero
Narration by Agent Zero
Highrun-c8dff72d-24d4-4815-938d-0b926af67ad9
Malicious Insider Activity
Medium confidence
  • insider-threat
  • data-exfiltration
  • offboarding
  • sharepoint
  • email-forwarding
  • malicious-insider

Departing Employee Data Exfiltration: User_1 Transfers Corporate Design Files to Personal Accounts

Senior Design Associate forwarded HR separation documents and shared corporate architecture project folder with personal Gmail account during active offboarding. Multiple exfiltration vectors (email, SharePoint, USB, guest account) targeted personal infrastructure over 3-day window.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
7m 33s
INVESTIGATION TIME
Autonomous
41
QUESTIONS ASKED
HAVEIBEENPWNED, MICROSOFT 365 DEFENDER, MICROSOFT DEFENDER XDR, MICROSOFT ENTRA
238
RECORDS ANALYZED
Across all data sources
~4 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$341
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On May 15, 2026 at 02:53 UTC, a SharePoint folder named '[SHARE_FOLDER_1]' was shared with the personal Gmail account user_1_personal@gmail.com, triggering an "Unusual Volume of External File Sharing" alert in Microsoft Defender XDR. The user, identified as user_1@[INTERNAL_DOMAIN_1].com, holds the role of Senior Design Associate - Architecture based in [CITY_4], IL. The alert alone might suggest account compromise, but the broader context tells a different story. Over the preceding three days (May 12–15), the user engaged in a coordinated pattern of data movement to personal infrastructure: forwarding a 4.4MB email containing HR separation documents to personal Gmail on May 13, sending farewell emails with attachments to external clients, creating a guest account for the personal Gmail address in the corporate Entra tenant on May 15, and mounting an external LaCie USB drive twice within minutes of the SharePoint sharing event. All authentication activity originated from Illinois-based residential ISP addresses (AT&T and Comcast) consistent with the user's home location—no geographic anomalies, no impossible travel, no credential theft indicators. The investigation spanned 3 days and correlated email logs, SharePoint audit events, Entra ID directory audits, endpoint telemetry, and sign-in logs across Microsoft 365 Defender, Microsoft Entra, and Microsoft Defender for Endpoint, revealing a coherent insider data exfiltration narrative rather than an external compromise.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be a false positive?

Ruled out
Supporting Evidence
SharePoint folder '[SHARE_FOLDER_1]' shared with personal Gmail user_1_personal@gmail.com
Moderate
Supporting Evidence
Guest account created for user_1_personal@gmail.com in corporate Entra tenant
Moderate
Supporting Evidence
4.4MB email with 6 attachments forwarded to personal Gmail
Moderate
Dismissed:A false positive would require that the alert incorrectly identified benign activity. However, the SharePoint folder sharing to a personal Gmail account, combined with guest account creation for that same Gmail address, email forwarding of separation documents to personal Gmail, and USB drive mounting—all during an active offboarding period—cannot be explained as a detection artifact. The alert correctly identified anomalous external sharing behavior. The broader evidence confirms this is not a false positive.·High confidence
H2

Could this be normal activity?

Ruled out
Supporting Evidence
User role: Senior Design Associate - Architecture
Moderate
Supporting Evidence
Data targeted: '[SHARE_FOLDER_1]' folder (role-relevant but not authorized for personal sharing)
Moderate
Supporting Evidence
Recipient: personal Gmail account, not a business partner
Moderate
Dismissed:Normal activity would require that sharing corporate architecture project files with a personal Gmail account, creating a guest account for that personal Gmail in the corporate tenant, and forwarding HR separation documents to personal email are within the expected scope of a Senior Design Associate's role. These actions are not within normal role scope and represent data movement to personal infrastructure that would not be authorized under standard corporate data governance policies.·High confidence
H3

Could this be an account compromise?

Ruled out
Supporting Evidence
All IPs geolocated to Illinois (AT&T and Comcast residential)
Moderate
Supporting Evidence
No HIBP breach records
Moderate
Supporting Evidence
No risky sign-in events from Entra ID Protection
Moderate
Dismissed:Account compromise would require evidence that an unauthorized external actor gained access to the account. All sign-in activity originated from Illinois-based residential ISP addresses (AT&T [CITY_1]/[CITY_2], Comcast [CITY_4]) consistent with the user's [CITY_4] profile. No geographic anomalies, no foreign IPs, no impossible travel, no HIBP breach records, no risky sign-in events, no MFA method changes, no password changes. The activity pattern—farewell emails, exit survey forwarding, project handover emails—is consistent with a departing employee acting under their own volition, not an external attacker. The personal Gmail recipient address (user_1_personal@gmail.com) shares name components with the corporate email, further indicating the legitimate account holder is the actor.·High confidence
H4

Could this be a policy violation?

Ruled out
Supporting Evidence
Guest account creation for personal Gmail to enable persistent access
Moderate
Supporting Evidence
SharePoint folder share of '[SHARE_FOLDER_1]' (corporate IP) to personal Gmail
Moderate
Supporting Evidence
Multiple exfiltration vectors used (email, SharePoint, USB)
Moderate
Dismissed:Policy violation would apply if the user violated a documented policy without malicious intent and without involving sensitive data. However, the evidence suggests intentional data movement: the user created a guest account for their personal Gmail to enable persistent post-employment access to corporate resources, shared a corporate design project folder (intellectual property) with personal infrastructure, and forwarded HR separation documents to personal email. The creation of a guest account specifically to maintain access after departure demonstrates intent to circumvent the natural access termination that occurs upon separation. The data involved (architecture design projects) represents corporate intellectual property. This exceeds a simple policy violation and constitutes malicious insider activity.·Medium confidence
H5

Could this be suspicious but not malicious?

Ruled out
Supporting Evidence
Multiple independent exfiltration vectors
Moderate
Supporting Evidence
Role-data alignment (architecture projects shared by architecture associate)
Moderate
Supporting Evidence
Temporal clustering during offboarding period
Moderate
Dismissed:A 'Suspicious' verdict would be appropriate if the evidence were genuinely ambiguous. However, the convergence of multiple independent exfiltration vectors (email forwarding, SharePoint sharing, USB mounting, guest account creation) all targeting personal infrastructure during an active offboarding period, combined with the user's role directly aligning with the targeted data, provides sufficient evidence to support a more definitive verdict. The pattern is not merely suspicious—it traces a coherent insider data exfiltration narrative.·Medium confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

Email log
On 2026-05-13T14:40:55Z, user forwarded email titled 'FW: Exit Survey and Separation Information - User_1' containing 6 attachments (4.4MB total) to personal Gmail account user_1_personal@gmail.com from IP [EXTERNAL_IP_1] (AT&T residential, [CITY_1] IL). The subject explicitly references the user's own exit/separation process.
Methodology: Email forwarding to external personal accounts during offboarding is monitored via Microsoft Defender XDR Advanced Hunting EmailEvents table, which captures outbound email metadata including sender, recipient, subject, attachment count, and size.
Microsoft Defender XDR Advanced Hunting (EmailEvents)
Email log / SharePoint sharing event
On 2026-05-15T02:53:16Z, SharePoint/OneDrive sharing notification sent to user_1_personal@gmail.com with subject 'Son, Sangbum shared the folder "[SHARE_FOLDER_1]" with you'. This grants ongoing external access to the folder contents rather than a static copy. The folder name directly corresponds to the user's role as Senior Design Associate - Architecture.
Methodology: SharePoint folder sharing events are captured in email notifications sent to external recipients. The sharing notification indicates the folder was shared via OneDrive/SharePoint sharing mechanism, granting persistent access rather than a one-time file transfer.
Microsoft Defender XDR Advanced Hunting (EmailEvents)
Entra ID audit log
On 2026-05-15T02:53:08Z, user user_1@[INTERNAL_DOMAIN_1].com created a guest account for user_1_personal@gmail.com in the corporate Entra tenant (user_1_personal_gmail.com#EXT#@[INTERNAL_DOMAIN_1].onmicrosoft.com), enabling persistent external access. Operations originated from Microsoft Azure infrastructure IPs ([EXTERNAL_IP_6], [EXTERNAL_IP_7]) consistent with programmatic API calls via Microsoft B2B Admin Worker service.
Methodology: Guest account creation is logged in Microsoft Entra ID directory audit logs, capturing the initiating user, target email address, and timestamp. The operation enables the external email to access corporate resources post-employment.
Microsoft Entra ID Audit Logs
Endpoint telemetry (UsbDriveMounted events)
On 2026-05-15 at 02:38:09Z and 02:50:19Z, LaCie Rugged Mini USB3 external drive (serial [USB_SERIAL_1]) was mounted twice on workstation ws-001.[INTERNAL_DOMAIN_2].com, presenting two volumes (D: and F:). Both mount clusters occurred within the same 12-minute window as the SharePoint sharing event. No file write events to USB were captured, but mount events confirm physical media was connected.
Methodology: USB mount events are captured in Microsoft Defender for Endpoint DeviceEvents table, recording device serial numbers, mount times, and drive letters. File write events to USB are correlated with mount events to confirm data transfer.
Microsoft Defender for Endpoint (DeviceEvents)
Email log
Email subjects across the investigation period consistently reference departure: 'FW: Exit Survey and Separation Information - User_1' (May 13), 'RE: Son's departure from [ORG_1]' (May 13), 'Metra-Hand Over' (May 14, multiple), 'Metra Project Transition Information' (May 14, 1.7MB), 'Thank you!' to external client [EXTERNAL_DOMAIN_2].com (May 14), 'Adios Por Ahora!' farewell (May 14). This establishes an active offboarding context.
Methodology: Email subject lines are extracted from EmailEvents table to establish temporal context and intent. Departure-themed subjects indicate the user was aware of and engaged in active offboarding.
Microsoft Defender XDR Advanced Hunting (EmailEvents)
Email log
On 2026-05-13T15:41:24Z, user sent email with attachment to contact_1@[EXTERNAL_DOMAIN_1].com with subject 'RE: Son's departure from [ORG_1]'. The recipient domain [EXTERNAL_DOMAIN_1].com had a RecipientObjectId populated, suggesting a federated or guest relationship with the tenant.
Methodology: Email recipient metadata including RecipientObjectId indicates whether external recipients have federated relationships with the corporate tenant, suggesting business partnerships or guest accounts.
Microsoft Defender XDR Advanced Hunting (EmailEvents)
Sign-in logs
All sign-in activity throughout the investigation period originated from Illinois-based residential ISP addresses (AT&T [CITY_1]/[CITY_2], Comcast [CITY_4]), consistent with the user's [CITY_4], IL office location. No geographic anomalies, no VPN/proxy indicators, no foreign IP addresses. The account was not compromised by an external actor.
Methodology: Sign-in logs are analyzed for geographic location, ISP, and IP address patterns. Consistency with the user's home location and absence of impossible travel events rule out external account compromise.
Microsoft Entra ID Sign-In Logs
User profile
User profile confirms: job title 'Senior Design Associate - Architecture', office location '[CITY_4], IL'. The targeted SharePoint folder '[SHARE_FOLDER_1]' directly aligns with the user's core job function, indicating the exfiltrated data is role-relevant intellectual property.
Methodology: User profile attributes including job title and office location are retrieved via Microsoft Graph API. Role-data alignment is assessed by comparing the user's job function against the data being exfiltrated.
Microsoft Graph API (User Profile)
Sign-in logs / Conditional Access evaluation
On 2026-05-15T02:54-02:55Z, user attempted to access SharePoint Online from an unmanaged iPad (iOS 26.4.2, Chrome Mobile, IP [EXTERNAL_IP_4], AT&T [CITY_1] IL). First attempt failed on wrong password; second attempt passed password validation but was blocked by Conditional Access policy '[CAP_POLICY_1]' requiring device compliance. This demonstrates the user was actively attempting to access corporate SharePoint from a personal device during the exfiltration window.
Methodology: Sign-in logs capture device details, authentication attempts, and Conditional Access policy evaluations. Failed and blocked sign-in attempts indicate the user was actively attempting to access SharePoint from non-compliant devices.
Microsoft Entra ID Sign-In Logs
Safe Links URL click telemetry
Safe Links telemetry shows user clicked [INTERNAL_DOMAIN_1].sharepoint.com/sites/HR/SitePages/Employment-Separation.aspx six times on 2026-05-13 at 14:48:50-14:48:54Z, confirming active engagement with HR offboarding/separation content on the same day as the Gmail email forward.
Methodology: Safe Links URL click events are captured in Microsoft Defender XDR UrlClickEvents table, recording the URL clicked, timestamp, and user. Multiple clicks on HR separation pages confirm the user's awareness of and engagement with offboarding.
Microsoft Defender XDR Advanced Hunting (UrlClickEvents)

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. FP-1
    Evaluate whether email forwarding to personal Gmail could be routine/benign behavior.
    Fail
  2. FP-2
    Evaluate whether SharePoint folder sharing to personal Gmail could be routine/benign.
    Fail
  3. FP-3
    Evaluate whether guest account creation for personal Gmail could be routine/benign.
    Fail
  4. FP-5
    Evaluate whether external account compromise could explain the observed activity.
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Unusual Volume of External File SharingEmail Forwarding to External AccountGuest Account CreationUSB Device Mount
TechniqueTacticContext
T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
ExfiltrationFlag SharePoint or OneDrive folder shares to external email addresses, especially personal Gmail/Outlook accounts, during employee offboarding windows. Alert on guest account creation for external email addresses in the corporate Entra tenant within 24 hours of external file sharing events. Monitor for patterns where a single user shares multiple folders or large volumes of files to the same external recipient within a short timeframe. Correlate SharePoint sharing events with email forwarding to the same external address and USB mount events on the same endpoint.
T1114.003
Email Collection: Email Forwarding Rule
CollectionDetect outbound emails with large attachments (>2MB) sent to personal email domains (gmail.com, outlook.com, yahoo.com) from corporate accounts, especially those containing HR-related keywords ('separation,' 'exit,' 'offboarding'). Alert on email subjects referencing the sender's own departure or separation. Correlate email forwarding events with subsequent guest account creation or SharePoint sharing to the same external recipient. Flag emails with attachment counts >5 sent to external personal accounts.
T1098.003
Account Manipulation: Additional Cloud Credentials
PersistenceMonitor Entra ID audit logs for guest account creation operations initiated by users whose own accounts are in active offboarding status. Alert when a user creates a guest account for a personal email address (especially one sharing name components with the user's corporate email). Correlate guest account creation with SharePoint sharing events to the same external email address within 1 minute. Flag guest account creation that occurs outside normal business hours or from non-standard IP addresses.
T1052.001
Exfiltration Over Physical Medium: Exfiltration over USB
ExfiltrationAlert on USB mount events for portable external drives (LaCie, WD, Seagate) during employee offboarding periods. Correlate USB mount events with preceding email forwarding or SharePoint sharing events to the same external account. Flag USB mounts that occur outside normal business hours or during nights/weekends. Monitor for repeated USB mount/unmount cycles within short timeframes (e.g., two mounts within 12 minutes), which may indicate staging or verification of data transfer. Require file write event confirmation before concluding data exfiltration, as mount events alone do not prove data transfer.

Verdict Reasoning

The verdict of Malicious Insider Activity at medium confidence rests on the following mutually corroborating signals:

1. Multiple independent exfiltration vectors all targeting the same personal Gmail account (email forwarding, SharePoint folder sharing, guest account creation) within a 3-day window, demonstrating coordinated intent rather than isolated policy violations

2. The targeted data—SharePoint folder '[SHARE_FOLDER_1]'—directly aligns with the user's job function as Senior Design Associate - Architecture, indicating the user knew the value and sensitivity of the intellectual property being transferred

3. Guest account creation for user_1_personal@gmail.com in the corporate Entra tenant at 02:53:08Z on May 15 specifically enables persistent post-employment access to corporate resources, demonstrating intent to circumvent natural access termination upon separation

4. All sign-in activity originated from consistent Illinois residential ISP addresses (AT&T [CITY_1]/[CITY_2], Comcast [CITY_4]) with no geographic anomalies, no HIBP breach records, no risky sign-in events, and no MFA method removals—ruling out external account compromise and confirming the legitimate account holder is the actor

5. Email subjects across the period ('Exit Survey and Separation Information,' 'Son's departure,' 'Adios Por Ahora!') establish active offboarding context, and Safe Links telemetry confirms the user clicked HR employment separation pages on May 13, corroborating knowledge of imminent departure. Confidence is Moderate rather than High because: (a) no file write events to the USB drive were captured, preventing confirmation of actual data transfer to removable media; (b) file-level detail on the SharePoint folder share is unavailable, preventing full quantification of exfiltration scope; and (c) attachment content in emails to external clients is unknown, leaving open the possibility that some correspondence was legitimate farewell communication rather than data theft

Lessons

  1. 01
    Offboarding windows are high-risk periods for insider data theft. In this investigation, the user's data exfiltration occurred entirely within a 3-day offboarding period (May 12–15). The user had already engaged with HR separation content (clicked employment separation pages on May 13) and sent farewell emails to colleagues and external clients. Organizations should implement heightened monitoring and access controls during active employee separation: flag all external file sharing, email forwarding, and guest account creation during the offboarding window; require manager approval for any SharePoint sharing to external addresses; and disable USB device mounting on endpoints of departing employees. The window between notification of departure and actual separation is when insiders are most motivated to exfiltrate data.
  2. 02
    Multiple exfiltration vectors targeting the same external account signal coordinated intent. This investigation identified four independent exfiltration vectors—email forwarding, SharePoint sharing, guest account creation, and USB mounting—all within 3 days and all involving the same personal Gmail account (user_1_personal@gmail.com). A single policy violation (e.g., one email to personal Gmail) might be benign; the convergence of multiple vectors is a strong indicator of deliberate data theft. Detection systems should correlate across email, cloud storage, identity, and endpoint logs to identify this pattern. A single email forward might be missed; a guest account creation might be missed; but the combination of both targeting the same external address within hours should trigger escalation.
  3. 03
    Guest account creation for personal email is a persistence mechanism, not a collaboration tool. The user created a guest account for user_1_personal@gmail.com in the corporate Entra tenant at 02:53:08Z on May 15—the same minute as the SharePoint folder share. This is not a standard collaboration pattern. Guest accounts are typically created by IT administrators for external partners or consultants with business justification. When a user creates a guest account for their own personal email address, especially during offboarding, the intent is to maintain post-employment access to corporate resources. Audit logs should flag any guest account creation initiated by non-admin users, and especially flag creation of guest accounts for personal email domains. Require manager or IT approval before any guest account creation.
  4. 04
    Role-data alignment is a key indicator of insider intent. The user's role was Senior Design Associate - Architecture, and the targeted SharePoint folder was '[SHARE_FOLDER_1]'—directly relevant to architecture work. An external threat actor compromising this account would likely exfiltrate data at random or based on sensitivity labels; an insider knows which data is valuable to their role and to their next employer. When investigating data exfiltration, cross-reference the user's job title and department against the data being shared. If a departing employee is exfiltrating data that directly aligns with their core job function, the likelihood of insider intent increases significantly.
  5. 05
    Absence of geographic anomalies does not rule out insider threats. All sign-in activity in this investigation originated from Illinois residential ISP addresses consistent with the user's home location. There were no impossible travel events, no foreign IPs, no VPN indicators. This ruled out external account compromise but did not rule out insider activity. Insider threats often originate from the user's home or office—the same locations where legitimate activity occurs. Do not assume that consistent geolocation and ISP patterns indicate benign activity. Instead, correlate geolocation with other signals: email forwarding, file sharing, guest account creation, and USB mounting. An insider working from home during offboarding is still an insider threat.