ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • SharePoint Security • OneDrive Investigation

The User Shared The File With Everyone

The file was not stolen. Nobody hacked the account. Nobody bypassed MFA. No malware alert fired.

The user simply clicked share, changed the permission, and created an anyone with the link access path.

This Agent Foskett briefing investigates one of the most common cloud security risks in Microsoft 365: sensitive SharePoint and OneDrive files exposed through broad sharing links, anonymous access, external recipients and permissions nobody reviewed until the file had already travelled further than expected.

Discuss your environment Back to briefings
Agent Foskett SharePoint OneDrive anyone with the link file sharing investigation
Briefing summary

A file sharing incident is not always a breach in the traditional sense. Sometimes the risk begins with a normal Microsoft 365 feature used too broadly. GEMXIT looks at the link, the permission, the recipients and the telemetry trail.

Investigate SharePoint and OneDrive links
Review external and anonymous access
Use CloudAppEvents and KQL
🚨 The file was not hacked. It was shared too broadly.
In Microsoft 365, the easiest data exposure path is often not malware. It is a sharing link that gave more access than anyone realised.
Book a security review →

What happened

A sensitive file was stored in SharePoint or OneDrive. The user needed to collaborate quickly. The sharing setting looked convenient. The exposure started quietly.
The file was sensitive The document may have contained pricing, client information, project details, financial data, credentials, contracts or internal business notes.
The link was too open An anyone link, external link or broad sharing permission allowed access beyond the people who genuinely needed the file.
The audience expanded Once the link was created, it could be forwarded, reused, opened from unmanaged devices or accessed by people outside the original conversation.
No alert explained everything The activity may have looked like normal collaboration unless someone reviewed the sharing event, file access and user behaviour together.
Permissions became the incident The question was no longer only who created the file. The question became who could access it, who did access it and whether the link still worked.
The logs held the evidence CloudAppEvents, audit records, file activity and sharing telemetry helped reconstruct the link creation, access history and exposure timeline.

The real issue was uncontrolled sharing

SharePoint and OneDrive make collaboration simple. That is useful. The risk appears when convenience quietly overrides data protection, review and least privilege.
Anyone links are powerful An anyone link can turn a protected document into a file that is accessible without the normal identity checks defenders expect.
External access needs review External sharing may be legitimate, but it should be visible, controlled and reviewed against the sensitivity of the content.
Collaboration is not the same as control The business may believe a file is internal while the actual sharing permissions tell a very different story.

First hunt: recently created sharing links

Start by looking for sharing link creation activity across SharePoint and OneDrive. The aim is to identify who created the link, what object was shared and whether the permission was broader than expected.
sharepoint-onedrive-sharing-links.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
CloudAppEvents
| where Timestamp > ago(30d)
| where Application has_any ("SharePoint", "OneDrive")
| where ActionType has_any ("Created sharing link", "SharingSet", "AnonymousLinkCreated")
| project Timestamp, AccountDisplayName, AccountObjectId,
          ActionType, Application, ObjectName, IPAddress, RawEventData
| order by Timestamp desc
What to review Look at the user, file name, site, action type, IP address, device context and raw event details that may show the link scope.
Why it matters A sharing link can create exposure without malware, phishing or a failed sign-in. The link itself becomes the access path.
Best next pivot Pivot from the file name or site URL into file access events, download events and external user activity.

Second hunt: files accessed or downloaded after sharing

Creating a link is one part of the story. The next question is whether the file was opened, downloaded or accessed from unexpected locations after the link was created.
file-access-after-sharing.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
CloudAppEvents
| where Timestamp > ago(30d)
| where Application has_any ("SharePoint", "OneDrive")
| where ActionType has_any ("FileAccessed", "FileDownloaded", "FilePreviewed")
| where ObjectName has "sensitive-file-name"
| project Timestamp, AccountDisplayName, ActionType,
          IPAddress, Application, ObjectName, RawEventData
| order by Timestamp desc
What to review Review who accessed the file, whether the account was internal or external, where the IP address came from and whether downloads followed shortly after sharing.
Why it matters File access after link creation helps separate a theoretical exposure from confirmed activity that may require containment.
Best next pivot Check whether the same user shared other sensitive files, whether the same external recipient accessed multiple files and whether downloads increased suddenly.

Third hunt: external users and unusual access patterns

A single external access event may be normal. Repeated access, unexpected locations, unmanaged devices or many files accessed together can change the investigation.
external-file-access-patterns.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
CloudAppEvents
| where Timestamp > ago(7d)
| where Application has_any ("SharePoint", "OneDrive")
| where ActionType has_any ("FileAccessed", "FileDownloaded", "FilePreviewed")
| summarize Events = count(),
            Files = dcount(ObjectName),
            IPs = make_set(IPAddress)
            by AccountDisplayName, Application
| where Events > 10 or Files > 5
| order by Events desc

Fourth hunt: broad sharing across the environment

One risky shared file may reveal a bigger pattern. This query helps identify users who create many sharing links or repeatedly expose files through collaboration settings.
broad-sharing-by-user.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
CloudAppEvents
| where Timestamp > ago(30d)
| where Application has_any ("SharePoint", "OneDrive")
| where ActionType has_any ("Created sharing link", "SharingSet", "AnonymousLinkCreated", "AddedToSecureLink")
| summarize SharingEvents = count(),
            SharedObjects = dcount(ObjectName),
            Actions = make_set(ActionType)
            by AccountDisplayName, Application
| order by SharingEvents desc

What should happen after a risky sharing link is found?

The goal is not to blame collaboration. The goal is to contain the exposure, understand the timeline and reduce the chance it happens again.
Remove the risky link Disable anonymous or broad sharing links, review existing permissions and replace them with specific named-user access where possible.
Rebuild the timeline Record when the link was created, who created it, who accessed the file, whether it was downloaded and whether the file was reshared.
Notify the right people If the file contained sensitive data, involve business owners, privacy contacts, IT administrators and security reviewers quickly.
Review tenant sharing settings Check SharePoint and OneDrive external sharing defaults, link expiration, guest access, sensitivity labels and site-level permissions.
Limit future exposure Use least privilege, link expiry, domain restrictions, data loss prevention and user education for sensitive files.
Monitor after containment Continue watching for further access attempts, downloads, resharing activity and similar sharing behaviour by the same user or site.

How GEMXIT approaches SharePoint and OneDrive security reviews

At GEMXIT, we do not only ask whether SharePoint is enabled. We look at how files are actually being shared, who can access them and what the telemetry proves.
We question access Who can open the file? Is the link anonymous? Does it expire? Can it be forwarded? Is the recipient known and trusted?
We validate telemetry CloudAppEvents, audit logs, Defender XDR and Microsoft 365 activity records help show the real sharing and access history.
We reduce practical risk The aim is a usable collaboration model where people can still work, but sensitive data is not exposed by default.
The file was shared. The question is who could open it.
That is why SharePoint and OneDrive security needs file permissions, external sharing, identity, audit logs and Defender telemetry reviewed together.
Contact GEMXIT

Final thought

Modern data exposure does not always look like a dramatic breach. Sometimes it looks like a normal user, a normal file and a normal sharing button used without enough context.
At GEMXIT We help organisations review Microsoft 365, SharePoint, OneDrive, Defender XDR, Sentinel, Entra ID and cloud sharing controls to identify risky data exposure before it becomes an incident.
Agent Foskett mindset The important question is not only: “Was the file protected?”

It is: “Can we prove exactly who could access it, who did access it and whether that access still exists?”

Continue the investigation with The After-Hours Download, The Dashboard Was Green, The User Was Disabled But The Account Was Still Active, The Session Token Never Expired, Microsoft Security Services and the GEMXIT Security Review.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

SharePoint and OneDrive Anonymous Sharing Link Investigation

This Agent Foskett briefing explains how risky SharePoint and OneDrive sharing links can expose sensitive files through anyone links, external sharing and broad permissions.

Microsoft Defender XDR CloudAppEvents KQL File Sharing Review

GEMXIT helps organisations review Microsoft Defender XDR, CloudAppEvents, Microsoft 365 audit logs, SharePoint permissions and OneDrive sharing activity to identify exposed files and risky collaboration settings.

External Sharing, Data Exposure and Microsoft 365 Security

Example investigation areas include anonymous sharing links, external users, SharePoint file downloads, OneDrive access, guest access, link expiry, sensitivity labels, DLP controls and risky Microsoft 365 collaboration behaviour.