Executive Summary
Employees at a large enterprise reported that confidential HR documents appeared in search results when using the Files tab within Outlook mobile.
Search results for terms such as “salary” and “bonus” returned documents belonging to other employees, including compensation letters and financial records.
The discovery raised immediate concerns that sensitive employee data may have been broadly exposed across the organisation.
CyberQuell was engaged to determine:
- whether the exposure resulted from a data breach
- how confidential documents became accessible
- whether external parties could access the files
- what remediation actions were required
Following a detailed investigation of SharePoint permissions, OneDrive sharing configurations, and Microsoft 365 search indexing behaviour, CyberQuell determined that the exposure resulted from migration errors, permission inheritance, and legacy sharing links rather than malicious activity.
Client Environment
The organisation operates a Microsoft 365 collaboration environment supporting multiple business units and departments.
Core collaboration tools include:
- Microsoft Teams for internal collaboration
- SharePoint Online for document storage
- OneDrive for personal file storage
- Outlook mobile integration for file search and sharing
The organisation had previously migrated legacy file systems into Microsoft 365, including personal network drives and shared departmental folders.
As with many large environments, these migrations introduced a complex set of inherited permissions and historical sharing links.
Incident Trigger
The issue was discovered when an employee searched for the keyword “salary” within the Files tab of Outlook mobile.
The search results returned multiple documents containing employee compensation information. These included:
- salary letters
- bonus documentation
- HR compensation records
Several of these documents belonged to other employees. Because these files should have been restricted to HR and specific managers, the discovery triggered an immediate security investigation.
Security Concern
At the time of discovery, several potential scenarios had to be considered:
- a possible internal data breach
- unauthorised insider access
- compromised accounts accessing HR files
- incorrect permissions within SharePoint or OneDrive
Because Microsoft 365 search can surface documents across multiple services, the organisation needed to determine how widely the files were accessible and whether external access was possible.
CyberQuell was engaged to determine the root cause of the exposure.
Exposure Anatomy
The investigation revealed that the exposure resulted from several overlapping configuration issues within the Microsoft 365 environment.
Key contributing factors included:
- Incorrect migration of personal network drives into shared SharePoint sites
- permission inheritance across SharePoint folders
- legacy file sharing links created during collaboration
- Microsoft 365 search indexing previously shared documents
Together, these factors allowed sensitive HR documents to appear in search results for users who should not have been able to view them.
Technical Root Cause Breakdown
How the Exposure Occurred
Step 1 - Legacy Data Migration
Personal network drives were migrated into shared SharePoint folders rather than individual OneDrive accounts.
Step 2 - Permission Inheritance
SharePoint folders inherited permissions from broader team sites.
Step 3 - File Sharing Links
Some documents had previously been shared using link-based permissions.
Step 4 - Search Indexing
Microsoft 365 indexed the shared documents, making them discoverable through Outlook and Teams search.
Step 5 - Employee Discovery
Employees searching for compensation-related keywords discovered the overshared files.
CyberQuell Investigation
CyberQuell conducted a structured investigation focused on determining whether the exposure resulted from malicious activity or configuration issues.
Phase 1 - Incident Coordination
Security teams coordinated with:
- SharePoint administrators
- HR leadership
- legal and compliance teams
- affected business units
A centralised response channel was established to track findings and remediation efforts.
Phase 2 - Permission and Access Review
CyberQuell conducted a comprehensive review of:
- SharePoint site membership
- folder permission inheritance
- OneDrive sharing configurations
- historical sharing links
- Microsoft 365 search indexing behaviour
The investigation identified several folders where access had been inherited from larger SharePoint team sites containing dozens of members.
Phase 3 - Validation
Security teams tested access controls and confirmed that certain users could view files that were not intended for them.
This confirmed that the issue resulted from permission configuration rather than unauthorised access through compromised accounts.
CyberQuell’s Investigation Approach
When sensitive data appears unexpectedly in employee search results, the most critical question is whether the exposure resulted from misconfigured permissions or unauthorised access. CyberQuell approaches incidents like this with a structured investigation focused on three core areas:
Key Findings
The investigation determined that the incident was caused by governance and configuration issues within Microsoft 365, not malicious activity.
Specifically:
- personal drive migrations introduced sensitive files into shared environments
- SharePoint permission inheritance expanded access beyond intended users
- legacy sharing links remained active
- Microsoft 365 search surfaced overshared files across applications
Remediation & Hardening
Following the investigation, CyberQuell recommended several improvements to reduce the risk of future data exposure.
- Restricting access to affected SharePoint folders
- Removing unauthorised site members
- Breaking permission inheritance on sensitive directories
- Auditing legacy sharing links
- Strengthening migration governance procedures
- Limiting broad sharing permissions
- Implementing regular SharePoint permission audits
- Deploying Data Loss Prevention policies for sensitive HR content
Business Impact
CyberQuell’s investigation helped the organisation quickly understand the scope and cause of the exposure.
The organisation was able to:
- confirm that no external breach had occurred
- identify the source of the file exposure
- restrict access to sensitive HR documents
- strengthen Microsoft 365 governance practices
This reduced the risk of further internal data exposure and improved the organisation’s ability to manage document permissions across its collaboration environment.
Why This Incident Matters
Many organizations assume that data exposure requires a malicious attacker.
In practice, a large percentage of internal data exposures occur through misconfigured permissions, migration errors, and legacy sharing links.
Modern collaboration platforms make it easy to share files across teams, but without strong governance controls, sensitive information can become accessible in unexpected ways.
This incident highlights the importance of permission governance and visibility within Microsoft 365 environments.
Key Lessons
Data exposure in Microsoft 365 often results from configuration issues rather than malicious attacks.
File migrations must be carefully validated to ensure sensitive data is placed in the correct locations.
Permission inheritance can unintentionally grant access to large groups of users.
Microsoft 365 search can surface documents that were previously overshared.
