Skip to content

SC-050: Insider Data Theft via Cloud Storage

Scenario Overview

A senior software engineer at NovaTech Solutions (a SaaS company) receives a competing job offer and decides to exfiltrate proprietary source code, customer data, and product roadmaps before submitting their resignation. Using legitimate credentials and authorized access to SharePoint and OneDrive, the employee systematically downloads sensitive intellectual property over two weeks, uploads it to personal cloud storage accounts, and attempts to cover tracks by clearing browser history and audit logs. The theft is detected post-resignation through UEBA anomalies and DLP retrospective analysis.

Environment: NovaTech Solutions corporate Microsoft 365 tenant (novatech.example.com); Azure AD for identity Initial Access: Legitimate employee credentials (no exploitation required) Impact: Trade secrets stolen including proprietary ML algorithms, customer database, and 18-month product roadmap; competitive advantage compromised Difficulty: Intermediate Sector: Technology / SaaS

Attack Timeline

Timestamp (UTC) Phase Action
2026-02-10 (Day -28) Trigger Event Employee receives offer from competitor; begins planning exfiltration
2026-02-15 09:00:00 Credential Harvesting Accesses shared credentials in team password vault for elevated repos
2026-02-15 10:30:00 Reconnaissance Searches SharePoint for "confidential," "roadmap," "architecture"
2026-02-16 22:00:00 Collection — Phase 1 Bulk download of product roadmap documents from SharePoint (off-hours)
2026-02-18 21:30:00 Collection — Phase 2 Downloads proprietary ML model source code from OneDrive shared folder
2026-02-20 23:00:00 Collection — Phase 3 Exports customer database from internal admin tool
2026-02-22 08:00:00 Exfiltration — Phase 1 Uploads 15GB to personal Google Drive via browser
2026-02-24 22:00:00 Exfiltration — Phase 2 Uploads 28GB to personal Dropbox via desktop client
2026-02-26 07:00:00 Anti-Forensics Clears browser history, downloads folder, and recycle bin
2026-02-27 09:00:00 Cover Tracks Attempts to clear Office 365 unified audit log entries (fails — insufficient privileges)
2026-02-28 14:00:00 Resignation Submits two-week notice to HR
2026-03-01 10:00:00 Detection UEBA flags anomalous download volume; HR notifies security team
2026-03-01 14:00:00 Investigation DLP retrospective analysis confirms exfiltration scope

Technical Analysis

Phase 1: Shared Credential Access

The employee leverages shared team credentials stored in an internal password vault to access repositories beyond their normal scope.

# Credential access pattern (from Azure AD sign-in logs)
# The employee accesses the team's shared credential vault
# and uses a shared service account to access restricted repos

# Azure AD Sign-In Log:
# Timestamp: 2026-02-15T09:02:14Z
# User: rchen@novatech.example.com
# Application: Internal Password Vault (App ID: REDACTED)
# Status: Success
# IP: 10.20.5.44 (corporate VPN)

# Minutes later — sign-in with shared account:
# Timestamp: 2026-02-15T09:15:33Z
# User: svc-devops@novatech.example.com (shared account)
# Application: Azure DevOps
# Status: Success
# IP: 10.20.5.44 (same source — indicates credential reuse)
# Risk Level: None (legitimate account, legitimate IP)

Phase 2: Reconnaissance — SharePoint Search Activity

The employee conducts targeted searches across SharePoint to locate high-value documents.

# SharePoint search queries (from Microsoft 365 Unified Audit Log)
# Operation: SearchQueryPerformed
# UserId: rchen@novatech.example.com

# Search queries over 2-day window:
# 2026-02-15T10:30:00Z — "product roadmap 2026 2027 confidential"
# 2026-02-15T10:35:00Z — "ML model architecture proprietary"
# 2026-02-15T10:42:00Z — "customer list export database"
# 2026-02-15T11:00:00Z — "competitive analysis market strategy"
# 2026-02-15T11:15:00Z — "patent filing draft algorithm"
# 2026-02-15T14:22:00Z — "salary compensation benchmark"

# Normal search pattern for this user (prior 90 days):
# Average: 3-5 searches per day, all code/engineering related
# Anomaly: 12 searches in 5 hours targeting business-sensitive content

Phase 3: Bulk Data Collection from SharePoint and OneDrive

The employee downloads large volumes of files during off-hours to avoid attention.

# SharePoint/OneDrive file access logs (Unified Audit Log)
# Operation: FileDownloaded
# UserId: rchen@novatech.example.com

# Session 1 — 2026-02-16 22:00 to 23:45 (off-hours)
# Site: https://novatech.example.com/sites/ProductStrategy
# Files downloaded: 847 files
# Total size: 4.2 GB
# Content: Product roadmaps, competitive analysis, board presentations
# Client: OneDrive Sync Client (bulk sync enabled)

# Session 2 — 2026-02-18 21:30 to 23:00 (off-hours)
# Site: https://novatech.example.com/sites/Engineering
# Path: /Shared Documents/ML-Models/Proprietary/
# Files downloaded: 2,341 files
# Total size: 18.6 GB
# Content: ML model source code, training data, model weights
# Client: Browser (Microsoft Edge)

# Session 3 — 2026-02-20 23:00 to 00:30 (off-hours)
# Application: Internal Admin Portal (admin.novatech.example.com)
# Action: Customer database export (CSV)
# Records: 45,000 customer records
# Fields: Company name, contact email, contract value, renewal date
# Size: 22 MB
# Client: Browser (Microsoft Edge)

# Baseline comparison (prior 90-day average for this user):
# Average daily downloads: 12 files, 45 MB
# Anomaly: 3,188+ files, 22.8 GB over 3 sessions (500x baseline)

Phase 4: Data Exfiltration to Personal Cloud Storage

The employee uploads stolen data to personal cloud storage accounts not managed by the organization.

# Exfiltration via personal cloud storage
# Source: Corporate laptop 10.20.5.44

# Exfiltration 1 — Google Drive (browser upload)
# Timestamp: 2026-02-22 08:00 to 10:30
# Destination: drive.google.com (personal account)
# Proxy log:
#   POST https://drive.google.com/upload/resumable
#   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
#   Content-Length: varies (chunked upload)
#   Source IP: 10.20.5.44
#   Total uploaded: 15 GB across 94 upload sessions
#   SSL inspection: Enabled — DLP scanner MISSED (content was in ZIP archives)

# Exfiltration 2 — Dropbox (desktop client)
# Timestamp: 2026-02-24 22:00 to 2026-02-25 02:00
# Application: Dropbox.exe (personal installation on corporate laptop)
# Destination: dropbox.com
# Network traffic:
#   Destination IPs: 198.51.100.0/24 (Dropbox infrastructure — synthetic)
#   Protocol: HTTPS (TLS 1.3)
#   Total uploaded: 28 GB
#   Note: Dropbox desktop client was not on approved software list
#         but endpoint controls did not block installation

# Combined exfiltration: 43 GB of proprietary data

Phase 5: Anti-Forensics and Cover Tracks

The employee attempts to destroy evidence of their activities on the corporate laptop.

# Anti-forensics actions (reconstructed from endpoint forensics)
# Host: NOVATECH-RCHEN (10.20.5.44)

# Browser history clearing (2026-02-26 07:00):
# Microsoft Edge: Settings > Privacy > Clear browsing data
# Cleared: Browsing history, Download history, Cookies, Cached files
# Time range: "All time"

# Downloads folder cleanup:
# PowerShell (from Sysmon Event ID 1):
Remove-Item -Path "$env:USERPROFILE\Downloads\*" -Recurse -Force
# Recycle bin:
Clear-RecycleBin -Force

# Attempted audit log clearing (2026-02-27 09:00):
# Azure AD Audit Log:
# Operation: Set-AdminAuditLogConfig
# UserId: rchen@novatech.example.com
# Result: FAILED (insufficient privileges)
# Error: "You don't have permission to perform this action"

# USB device connection (from Windows Event Log):
# Event ID 2003 (USB device plugged in)
# Timestamp: 2026-02-25 20:00
# Device: USB Mass Storage — SanDisk Ultra 128GB
# Note: Additional copy to USB as backup exfiltration method

Detection Opportunities

KQL — UEBA: Anomalous File Download Volume

// Detect users downloading significantly more files than their baseline
OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation == "FileDownloaded"
| summarize
    DownloadCount = count(),
    TotalSizeMB = sum(tolong(FileSize)) / 1048576,
    UniqueSites = dcount(SiteUrl),
    OffHoursDownloads = countif(hourofday(TimeGenerated) < 7
        or hourofday(TimeGenerated) > 19)
    by UserId, bin(TimeGenerated, 1d)
| join kind=inner (
    OfficeActivity
    | where TimeGenerated between (ago(97d) .. ago(7d))
    | where Operation == "FileDownloaded"
    | summarize BaselineAvgDaily = count() / 90 by UserId
  ) on UserId
| where DownloadCount > BaselineAvgDaily * 10
| project TimeGenerated, UserId, DownloadCount, BaselineAvgDaily,
    TotalSizeMB, OffHoursDownloads, Anomaly_Ratio = round(DownloadCount / BaselineAvgDaily, 1)
| sort by Anomaly_Ratio desc

KQL — SharePoint Sensitive Keyword Searches

// Detect searches for sensitive keywords in SharePoint
OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation == "SearchQueryPerformed"
| where SearchQuery has_any (
    "confidential", "proprietary", "roadmap", "strategy",
    "customer list", "salary", "patent", "acquisition",
    "trade secret", "competitive", "board presentation"
  )
| summarize
    SensitiveSearches = count(),
    Queries = make_set(SearchQuery),
    TimeRange = make_set(TimeGenerated)
    by UserId
| where SensitiveSearches > 3
| sort by SensitiveSearches desc

KQL — Uploads to Personal Cloud Storage

// Detect uploads to personal cloud storage services
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceAction == "Allow"
| where RequestURL has_any (
    "drive.google.com/upload", "dropbox.com",
    "onedrive.live.com", "icloud.com",
    "mega.nz", "box.com/api/2.0/files/upload"
  )
| where SourceIP startswith "10."  // Internal source
| summarize
    UploadCount = count(),
    TotalBytesSent = sum(SentBytes),
    UniqueDestinations = make_set(RequestURL)
    by SourceUserName, SourceIP, bin(TimeGenerated, 1h)
| extend TotalGB = round(TotalBytesSent / 1073741824.0, 2)
| where TotalGB > 1
| sort by TotalGB desc

KQL — DLP: Bulk File Access Before Resignation

// Correlate high-volume file access with HR resignation events
let ResignationUsers = datatable(UserId:string, ResignationDate:datetime) [
    "rchen@novatech.example.com", datetime(2026-02-28)
    // Populate from HR system feed
];
OfficeActivity
| where Operation in ("FileDownloaded", "FileAccessed", "FileCopied")
| join kind=inner ResignationUsers on UserId
| where TimeGenerated between (ResignationDate - 30d .. ResignationDate)
| summarize
    FileAccesses = count(),
    UniqueFiles = dcount(OfficeObjectId),
    DataVolumeMB = sum(tolong(FileSize)) / 1048576
    by UserId, bin(TimeGenerated, 1d)
| sort by TimeGenerated asc

SPL — Anomalous SharePoint Download Volume

index=o365 sourcetype="o365:management:activity"
  Operation="FileDownloaded"
| stats count as downloads
        sum(FileSize) as total_bytes
        dc(SiteUrl) as unique_sites
        dc(SourceFileName) as unique_files
        by UserId _time span=1d
| eventstats avg(downloads) as avg_daily_downloads by UserId
| where downloads > avg_daily_downloads * 10
| eval total_gb = round(total_bytes / 1073741824, 2)
| sort -downloads

SPL — Personal Cloud Storage Upload Detection

index=proxy sourcetype="squid" OR sourcetype="bluecoat"
  (cs_host="drive.google.com" OR cs_host="*.dropbox.com"
   OR cs_host="onedrive.live.com" OR cs_host="*.mega.nz")
  cs_method IN ("POST", "PUT")
| stats count as upload_requests
        sum(sc_bytes) as total_uploaded
        dc(cs_host) as cloud_services
        values(cs_host) as destinations
        by s_username src_ip
| eval uploaded_gb = round(total_uploaded / 1073741824, 2)
| where uploaded_gb > 0.5
| sort -uploaded_gb

SPL — USB Device Connection on Corporate Endpoints

index=endpoint sourcetype="xmlwineventlog:microsoft-windows-driverframeworks-usermode/operational"
  EventCode=2003
| stats count as usb_events
        values(DeviceInstanceID) as devices
        by Computer User _time span=1d
| where usb_events > 0
| lookup hr_departures user AS User OUTPUT departure_date status
| where status="departing"
| sort _time

SPL — Off-Hours Data Access Pattern

index=o365 sourcetype="o365:management:activity"
  Operation IN ("FileDownloaded", "FileAccessed")
| eval hour = strftime(_time, "%H")
| where hour < 7 OR hour > 19
| stats count as off_hours_access
        dc(SourceFileName) as unique_files
        sum(FileSize) as total_bytes
        by UserId _time span=1d
| eventstats avg(off_hours_access) as baseline_avg by UserId
| where off_hours_access > baseline_avg * 5
| eval total_gb = round(total_bytes / 1073741824, 2)
| sort -off_hours_access

Response Playbook

Immediate Containment (0-2 hours)

  1. Disable employee's Azure AD account immediately upon confirmed exfiltration
  2. Revoke all active sessions and OAuth tokens across Microsoft 365
  3. Disable shared service accounts that were accessed (svc-devops)
  4. Block personal cloud storage domains at the proxy for the employee's endpoints
  5. Preserve forensic image of corporate laptop before return
  6. Engage legal counsel for intellectual property theft response

Investigation (2-48 hours)

  1. Pull complete Unified Audit Log for the employee's account (past 90 days)
  2. Analyze DLP logs for all data transfers to external destinations
  3. Review Azure AD sign-in logs for shared credential usage
  4. Forensically image the corporate laptop: Recover deleted files, browser artifacts, USB history
  5. Interview the employee's manager regarding access patterns and data sensitivity
  6. Assess data classification of all exfiltrated content
  1. Quantify the data loss: Catalog all exfiltrated files by sensitivity level
  2. Send legal preservation notice to the employee and their new employer
  3. File for TRO (Temporary Restraining Order) if trade secrets confirmed stolen
  4. Rotate all shared credentials the employee had access to
  5. Notify affected customers if customer PII was part of the exfiltration
  6. Implement DLP policies blocking bulk downloads and personal cloud uploads
  7. Deploy UEBA solution with HR integration for departure risk scoring
  8. Require security exit interview as part of offboarding process

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Initial Access T1078 Valid Accounts Legitimate employee credentials
Credential Access T1078 Valid Accounts Shared service account from vault
Discovery T1083 File and Directory Discovery SharePoint searches for sensitive docs
Collection T1530 Data from Cloud Storage Bulk download from SharePoint/OneDrive
Collection T1213.002 Data from Information Repositories: SharePoint Targeted document collection
Exfiltration T1567.002 Exfiltration Over Web Service: to Cloud Storage Upload to Google Drive and Dropbox
Defense Evasion T1070.001 Indicator Removal: Clear Windows Event Logs Attempted audit log clearing
Defense Evasion T1070.004 Indicator Removal: File Deletion Browser history and downloads cleared

Lessons Learned

  1. Insider threats bypass perimeter security entirely: The employee had legitimate access to all exfiltrated data. Traditional security controls focused on external threats provided no detection. Organizations must implement UEBA and DLP solutions that baseline normal user behavior and alert on deviations.

  2. Shared credentials eliminate accountability: The use of a shared svc-devops account obscured which individual accessed restricted repositories. Organizations should eliminate shared accounts and enforce individual identity with MFA for all service access.

  3. Off-hours activity patterns are strong insider threat indicators: All bulk downloads occurred outside business hours (10 PM - midnight). UEBA rules correlating access time with volume and sensitivity can detect this pattern before resignation is submitted.

  4. DLP must inspect archived content: The initial exfiltration to Google Drive used ZIP archives that bypassed content-based DLP inspection. DLP policies should decompress archives for inspection and flag encrypted archives being uploaded to personal cloud services.

  5. HR-Security integration is essential for insider threat detection: The security team was not notified until after the resignation was submitted. Integrating HR signals (performance reviews, disciplinary actions, competing offers) with security monitoring enables proactive risk scoring of employees most likely to exfiltrate data.

  6. Endpoint controls must enforce software allowlisting: The employee installed Dropbox desktop client on their corporate laptop without restriction. Application control policies preventing unauthorized software installation would have blocked this exfiltration channel.

Cross-References