16.4 Identifying Exfiltration Channels

Identifying Exfiltration Channels

Downloading files from SharePoint is not exfiltration — it is normal work. Exfiltration is the transfer of those files out of the organisation’s control. Each exfiltration channel has different telemetry.

Channel 1: Personal cloud storage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

// File uploads to personal cloud storage services
DeviceNetworkEvents
| where TimeGenerated > ago(30d)
| where DeviceName == "LAPTOP-NGE027"
| where InitiatingProcessAccountName == "m.chen"
| where RemoteUrl has_any ("dropbox.com", "drive.google.com", "icloud.com",
    "box.com", "mega.nz", "onedrive.live.com", "wetransfer.com",
    "sendanywhere.com", "filemail.com")
| project TimeGenerated, RemoteUrl, RemoteIP,
    InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc

What to look for: Browser-based uploads (InitiatingProcessFileName = “chrome.exe” or “msedge.exe”) to personal cloud storage domains. Also check for desktop sync clients: “Dropbox.exe,” “googledrivesync.exe,” or “OneDrive.exe” connecting to personal (not corporate) OneDrive.

DLP correlation: If Purview DLP policies are configured (Module 3), check for DLP policy matches on the same files:

1
2
3
4
5
6
7

// DLP alerts correlated with Marcus' file transfers
CloudAppEvents
| where TimeGenerated > ago(30d)
| where AccountDisplayName == "Marcus Chen"
| where ActionType has "DlpRule"
| project TimeGenerated, ActionType, PolicyName = tostring(parse_json(RawEventData).PolicyName),
    FileName = tostring(parse_json(RawEventData).SourceFileName)

Channel 2: USB devices

1
2
3
4
5
6
7
8
9

// USB device connections and file transfers
DeviceEvents
| where TimeGenerated > ago(30d)
| where DeviceName == "LAPTOP-NGE027"
| where ActionType in ("UsbDriveMounted", "RemovableStoragePolicyTriggered")
| project TimeGenerated, ActionType,
    DeviceDescription = tostring(AdditionalFields),
    FileName = tostring(AdditionalFields)
| order by TimeGenerated desc

Cross-reference USB mount times with DeviceFileEvents showing file writes to non-system drives (subsection 16.3 Step 4). A USB mount at 22:00 followed by file writes to the USB drive is a strong exfiltration indicator — especially if the files match the bulk downloads from SharePoint.

Channel 3: Personal email

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

// Emails from Marcus to non-corporate addresses with attachments
EmailEvents
| where TimeGenerated > ago(30d)
| where SenderFromAddress == "m.chen@northgateeng.com"
| where RecipientEmailAddress !endswith "@northgateeng.com"
| join kind=inner (
    EmailAttachmentInfo
    | where TimeGenerated > ago(30d)
) on NetworkMessageId
| project TimeGenerated, RecipientEmailAddress, Subject,
    FileName, FileSize = FileSize
| order by TimeGenerated desc

What to look for: Emails to personal addresses (gmail.com, outlook.com, yahoo.com) with attachments — especially if the attachment file names match the files downloaded from SharePoint. Also check for emails to the competitor’s domain (if known).

Channel 4: Print

1
2
3
4
5
6
7

// Print events from Marcus' device
DeviceEvents
| where TimeGenerated > ago(30d)
| where DeviceName == "LAPTOP-NGE027"
| where ActionType == "PrintJobCreated"
| project TimeGenerated, FileName = tostring(AdditionalFields),
    PrinterName = tostring(AdditionalFields)

Printing is a low-tech exfiltration method that bypasses all digital controls. If Marcus printed proprietary design documents: the physical copies leave the building. Detection depends on Defender for Endpoint’s print monitoring capability.

Channel 5: Screen capture and photography

No reliable telemetry for photographing a screen with a phone. Screen capture (screenshot tools, screen recording software) may appear in DeviceProcessEvents:

1
2
3
4
5
6
7

// Screen capture tools
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where DeviceName == "LAPTOP-NGE027"
| where ProcessCommandLine has_any ("snipping", "screenshot", "screencapture",
    "obs", "camtasia", "sharex", "greenshot")
| project TimeGenerated, FileName, ProcessCommandLine

Limitation: This is the least detectable exfiltration channel. A user who photographs their screen with a personal phone leaves no M365 telemetry. This is why preventive controls (DLP, USB blocking) and deterrent controls (acceptable use policy, security awareness) exist — to prevent the exfiltration before it happens, because detection after the fact may be impossible.

Compile the exfiltration channel assessment

Subsection artifact: The 5 exfiltration channel queries and the channel assessment table. These form the exfiltration analysis section of your insider threat investigation playbook.

Knowledge check

Correlating across channels — building the exfiltration narrative

Individual channel findings are indicators. The narrative emerges when you correlate across channels:

Stage 1: Reconnaissance (SharePoint). Marcus accesses the Design Archive site (not in his baseline) and downloads 67 product specification files over 3 days.

Stage 2: Staging (Local device). DeviceFileEvents shows the 67 files moved from the Downloads folder to a folder named “Personal” on the Desktop. This is staging — organising files for transfer.

Stage 3: Transfer (USB + Cloud). On 30 March at 22:00, a USB drive is mounted. 45 of the 67 files are copied to the USB. The remaining 22 files (too large for USB) are uploaded to a personal Dropbox account the following morning.

Stage 4: Cleanup (Email). Marcus sends 5 emails with attachments to his personal Gmail — the client contact lists that were not included in the USB or Dropbox transfers.

The exfiltration narrative for the IR report: “Between 25-31 March, Marcus Chen downloaded 67 proprietary product specification files from the Design Archive (outside his normal access scope). He staged the files locally, transferred 45 to a USB device during after-hours, uploaded 22 to personal Dropbox cloud storage, and emailed 5 client contact lists to his personal Gmail. The exfiltration used three separate channels, suggesting deliberate planning to maximise the data transferred before his departure on 15 April.”

This narrative — supported by timestamped evidence from 4 data sources — is what HR and legal need to make their decision. It is factual, chronological, and does not speculate about intent. The pattern speaks for itself.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

// Build the exfiltration timeline — all channels combined
let User = "Marcus Chen";
let Device = "LAPTOP-NGE027";
union
    (CloudAppEvents | where AccountDisplayName == User
        | where ActionType in ("FileDownloaded", "FileCopied")
        | extend Channel = "SharePoint/OneDrive"
        | project TimeGenerated, Channel,
            Detail = tostring(parse_json(RawEventData).SourceFileName)),
    (DeviceFileEvents | where DeviceName == Device
        | where InitiatingProcessAccountName == "m.chen"
        | where FolderPath matches regex @"^[D-Z]:\\"
        | extend Channel = "USB"
        | project TimeGenerated, Channel, Detail = FileName),
    (DeviceNetworkEvents | where DeviceName == Device
        | where RemoteUrl has_any ("dropbox.com", "drive.google.com")
        | extend Channel = "Cloud Storage"
        | project TimeGenerated, Channel, Detail = RemoteUrl),
    (EmailEvents | where SenderFromAddress == "m.chen@northgateeng.com"
        | where RecipientEmailAddress !endswith "@northgateeng.com"
        | extend Channel = "Personal Email"
        | project TimeGenerated, Channel, Detail = Subject)
| order by TimeGenerated asc

This combined timeline query is the single most valuable query in an insider threat investigation. It shows every data movement across every channel in chronological order — the complete exfiltration story in one view.