Detections

Investigators can leverage Microsoft Purview eDiscovery to proactively search for indicators of insider threat activity across Microsoft 365 workloads, including Exchange, SharePoint, OneDrive, and Teams. eDiscovery enables targeted, cross-tenant search of user communications and file activity, making it a powerful internal investigation and monitoring tool when used within approved workflows.

eDiscovery should be used to:

Identify data staging or policy violations involving sensitive or regulated information.
Investigate keywords, file types, or behavioral patterns linked to insider misuse.
Surface high-risk communication themes (e.g., resignation, exfil intent, coercion signals).
Correlate abnormal file sharing, email forwarding, or messaging activity across multiple users or services.

Detection Methods (via eDiscovery):

Keyword or Pattern-Based Search: Use search queries within eDiscovery to identify sensitive terms or behaviors, such as:

resign, job offer, backup, personal email, send to home, leaving soon, remotely wipe, compressed, file extensions commonly used for staging or exfiltration: .7z, .rar, .pst, .tar.gz, .gpg, or repeated references to external tools (e.g., “WeTransfer”, “Dropbox”, “Telegram”).

Targeted User Investigation: Investigate specific users flagged by UEBA, DLP, or HR triggers. Use Purview to search for mailbox forwarding rules or unusual email recipients, identify OneDrive or SharePoint activity involving external users or personal accounts, and retrieve deleted messages or files still available in preservation hold.
Communication Timeline Reconstruction: Use eDiscovery to build a timeline of internal communications and file interactions around suspicious dates—e.g., just before resignation, travel, or privileged access escalations.
Multi-Source Correlation: Cross-reference results from Exchange, Teams, OneDrive, and SharePoint in a single case. Link content types and time windows to identify coordinated behavior or quiet staging across services.

Indicators (via eDiscovery Results):

Discovery of sensitive files emailed to non-corporate domains.
Large compressed archives sent or shared shortly before account deactivation.
Coordinated message themes among multiple insiders (e.g., disgruntlement, collusion).
Use of keywords suggesting obfuscation, retaliation, or planned exit.
Evidence of Teams conversations involving encouragement or normalization of data misuse.

Sections

ID	Name	Description
AF030	Message Deletion	The subject deletes digital communication records in order to remove evidence of prior activity, coordination, or intent. These records may include messages exchanged through collaboration platforms, internal messaging systems, or external communication applications. Communication artifacts often provide investigators with critical context surrounding insider events, including planning, intent, and relationships between individuals. Deleting these records can reduce the available evidentiary timeline and hinder reconstruction of events. Message deletion may occur before, during, or after an infringement. In some cases, subjects remove messages immediately after sending them to eliminate records of inappropriate requests or instructions. In other cases, deletion occurs after an alert, disciplinary action, or investigation has begun. Because communication platforms often retain administrative logs of message deletion events, the act of deleting messages may itself become a significant investigative indicator.
AF030.001	Deletion of Corporate Communication Messages	The subject deletes messages from organization-managed communication platforms such as enterprise collaboration tools, internal messaging systems, or other corporate communication environments. These platforms commonly contain operational discussions, requests for information, coordination between staff, or exchanges relating to sensitive work activities. Deleting messages from these systems may remove evidence of policy violations, improper instructions, or coordination with other individuals. In many enterprise platforms, message deletion events generate administrative audit artifacts. While the message content may no longer be visible to users, deletion activity can often still be identified through platform audit logs, retention systems, or administrative investigation tools.