Home
Case Study
HR Document Exposure Case
8 min read

Investigating Unauthorized Exposure of HR Documents in Microsoft 365

Published on
March 16, 2026
Incident Type
Internal data exposure through SharePoint and OneDrive permissions
Environment
Microsoft 365 (SharePoint, OneDrive, Teams, Outlook Mobile)
Risk Category
Confidential HR and compensation documents
Systems Compromised
None

Table of contents

Heading 2
Heading 2
Heading 2
Heading 2
Heading 2
Heading 2
Heading 2
Heading 2

Executive Summary

Employees at a large enterprise reported that confidential HR documents appeared in search results when using the Files tab within Outlook mobile.

Search results for terms such as “salary” and “bonus” returned documents belonging to other employees, including compensation letters and financial records.

The discovery raised immediate concerns that sensitive employee data may have been broadly exposed across the organisation.

CyberQuell was engaged to determine:

  • whether the exposure resulted from a data breach
  • how confidential documents became accessible
  • whether external parties could access the files
  • what remediation actions were required

Following a detailed investigation of SharePoint permissions, OneDrive sharing configurations, and Microsoft 365 search indexing behaviour, CyberQuell determined that the exposure resulted from migration errors, permission inheritance, and legacy sharing links rather than malicious activity.

Client Environment

The organisation operates a Microsoft 365 collaboration environment supporting multiple business units and departments.

Core collaboration tools include:

  • Microsoft Teams for internal collaboration
  • SharePoint Online for document storage
  • OneDrive for personal file storage
  • Outlook mobile integration for file search and sharing

The organisation had previously migrated legacy file systems into Microsoft 365, including personal network drives and shared departmental folders.

As with many large environments, these migrations introduced a complex set of inherited permissions and historical sharing links.

Incident Trigger

The issue was discovered when an employee searched for the keyword “salary” within the Files tab of Outlook mobile.

The search results returned multiple documents containing employee compensation information. These included:

  • salary letters
  • bonus documentation
  • HR compensation records

Several of these documents belonged to other employees. Because these files should have been restricted to HR and specific managers, the discovery triggered an immediate security investigation.

Security Concern

At the time of discovery, several potential scenarios had to be considered:

  • a possible internal data breach
  • unauthorised insider access
  • compromised accounts accessing HR files
  • incorrect permissions within SharePoint or OneDrive

Because Microsoft 365 search can surface documents across multiple services, the organisation needed to determine how widely the files were accessible and whether external access was possible.

CyberQuell was engaged to determine the root cause of the exposure.

Exposure Anatomy

The investigation revealed that the exposure resulted from several overlapping configuration issues within the Microsoft 365 environment.

How the Exposure Occurred

Step 1 — Legacy Data Migration
Personal network drives were migrated into shared SharePoint folders rather than individual OneDrive accounts.

Step 2 — Permission Inheritance
SharePoint folders inherited permissions from broader team sites.

Step 3 — File Sharing Links
Some documents had previously been shared using link-based permissions.

Step 4 — Search Indexing
Microsoft 365 indexed the shared documents, making them discoverable through Outlook and Teams search.

Step 5 — Employee Discovery
Employees searching for compensation-related keywords discovered the overshared files.

Key Contributing Factors:

  • Incorrect migration of personal network drives into shared SharePoint sites
  • Permission inheritance across SharePoint folders
  • Legacy file sharing links created during collaboration
  • Microsoft 365 search indexing previously shared documents

Technical Root Cause Breakdown

FactorDescription
Migration ErrorPersonal network drive data migrated into shared SharePoint locations rather than individual OneDrive accounts
Permission InheritanceSharePoint folders inherited permissions from larger team sites
Legacy Sharing LinksHistorical sharing links remained active after files were moved
Search IndexingMicrosoft 365 search surfaced overshared documents across Teams and Outlook

CyberQuell Investigation

CyberQuell conducted a structured investigation focused on determining whether the exposure resulted from malicious activity or configuration issues.

Phase 1 — Incident Coordination

Security teams coordinated with:

  • SharePoint administrators
  • HR leadership
  • legal and compliance teams
  • affected business units

A centralised response channel was established to track findings and remediation efforts.

Phase 2 — Permission and Access Review

CyberQuell conducted a comprehensive review of:

  • SharePoint site membership
  • folder permission inheritance
  • OneDrive sharing configurations
  • historical sharing links
  • Microsoft 365 search indexing behaviour

The investigation identified several folders where access had been inherited from larger SharePoint team sites containing dozens of members.

Phase 3 — Validation

Security teams tested access controls and confirmed that certain users could view files that were not intended for them.

This confirmed that the issue resulted from permission configuration rather than unauthorised access through compromised accounts.

CyberQuell’s Investigation Approach

When sensitive data appears unexpectedly in employee search results, the most critical question is whether the exposure resulted from misconfigured permissions or unauthorised access. CyberQuell approaches incidents like this with a structured investigation focused on three core areas:

Permission Analysis
SharePoint site membership, folder permission inheritance, and OneDrive sharing configurations were reviewed to identify where access had been granted beyond intended users.
Migration Audit
File migration records and SharePoint folder structures were analysed to determine whether sensitive data had been incorrectly placed in shared environments during legacy system migrations.
Access Validation
Access controls were tested to confirm which users could view sensitive files, establishing whether the exposure resulted from misconfiguration or unauthorised account access.

Key Findings

The investigation determined that the incident was caused by governance and configuration issues within Microsoft 365, not malicious activity.

Specifically:

  • personal drive migrations introduced sensitive files into shared environments
  • SharePoint permission inheritance expanded access beyond intended users
  • legacy sharing links remained active
  • Microsoft 365 search surfaced overshared files across applications

Remediation & Hardening

Immediate Actions
  • Restricting access to affected SharePoint folders
  • Removing unauthorised site members
  • Breaking permission inheritance on sensitive directories
  • Auditing legacy sharing links
Long-term Improvements
  • Strengthening migration governance procedures
  • Limiting broad sharing permissions
  • Implementing regular SharePoint permission audits
  • Deploying Data Loss Prevention policies for sensitive HR content

Business Impact

CyberQuell’s investigation helped the organisation quickly understand the scope and cause of the exposure.

The organisation was able to:

  • confirm that no external breach had occurred
  • identify the source of the file exposure
  • restrict access to sensitive HR documents
  • strengthen Microsoft 365 governance practices

This reduced the risk of further internal data exposure and improved the organisation’s ability to manage document permissions across its collaboration environment.

Key Lessons

Data exposure in Microsoft 365 often results from configuration issues rather than malicious attacks.
File migrations must be carefully validated to ensure sensitive data is placed in the correct locations.
Permission inheritance can unintentionally grant access to large groups of users.
Microsoft 365 search can surface documents that were previously overshared.

Frequently Asked Questions

Why did confidential HR files appear in Outlook mobile search?

Outlook mobile surfaces documents indexed by Microsoft 365 search. If files stored in SharePoint or OneDrive have broad permissions or active sharing links, they can appear in search results for users who technically have access — even if they were not intended to view the files.

Does file exposure in Microsoft 365 mean the environment was hacked?

Not necessarily. In many cases, the investigation confirms that the exposure resulted from configuration issues such as permission inheritance, migration errors, and legacy sharing links — with no compromised accounts or malicious access identified.

How can SharePoint permission inheritance cause data exposure?

In SharePoint, folders and files can inherit permissions from parent sites or directories. If a parent location grants access to a large group of users, that access can unintentionally extend to sensitive files stored within those folders.

Why do file migrations sometimes cause security issues?

During migrations from legacy file systems, personal or restricted files can accidentally be placed into shared collaboration environments. If permissions are not reviewed during migration, sensitive files may become accessible to broader groups than intended.

How can organisations prevent overshared files in Microsoft 365?

Organisations should implement regular permission audits, restrict anonymous sharing links, monitor SharePoint access policies, and establish governance processes for file migrations and sensitive data storage.

When should an organisation investigate potential Microsoft 365 data exposure?

If employees discover sensitive files belonging to other users, if documents appear unexpectedly in search results, or if permission changes occur without clear explanation, a structured investigation should be conducted to determine whether the issue results from misconfiguration or unauthorised access.

Why can employees suddenly see other people’s files in Microsoft 365?

Employees may see other users’ files in Microsoft 365 when documents stored in SharePoint or OneDrive have broader permissions than intended. This can occur due to permission inheritance from parent folders, legacy sharing links that remain active after files are moved, or files being migrated into shared environments rather than individual user storage.

In these situations, Microsoft 365 search can surface documents across applications such as Outlook, Teams, and SharePoint, making them visible to users who technically have access through inherited permissions.

How do you investigate a potential Microsoft 365 data exposure incident?

A structured investigation usually includes:

  • reviewing Azure AD authentication logs for suspicious sign-ins
  • analysing SharePoint and OneDrive file permissions
  • auditing sharing links and external sharing policies
  • examining mailbox and collaboration activity logs
  • identifying inherited permissions across SharePoint sites

This process helps determine whether the exposure resulted from misconfigured permissions, file migration issues, or compromised user accounts.

What is the most common cause of internal data exposure in Microsoft 365?

The most common cause of internal data exposure in Microsoft 365 is not external attackers, but misconfigured permissions and file sharing practices. Typical causes include:

  • files placed in shared SharePoint locations during migrations
  • permission inheritance granting access to large groups
  • documents shared using broad “anyone with the link” permissions
  • legacy sharing links that remain active after files are moved
  • collaboration tools indexing previously shared documents
When should a company bring in external experts for a Microsoft 365 security incident?

Organisations should consider external investigation when sensitive data appears in unexpected locations, when employees gain access to documents outside their role, or when security teams cannot quickly determine whether an incident results from misconfiguration or a potential breach.

External specialists can perform forensic analysis of authentication logs, file permissions, sharing configurations, and collaboration activity to confirm whether a compromise occurred and help prevent similar incidents in the future.

How can CyberQuell help investigate Microsoft 365 data exposure?

CyberQuell conducts structured investigations of Microsoft 365 environments to determine whether data exposure results from configuration issues, permission mismanagement, or potential account compromise. This includes reviewing authentication logs, file permissions, sharing links, and collaboration platform configurations.

Protect Your Business from Cyber Threats

Get in touch with our cybersecurity experts to discuss your security needs and solutions.

Book a Free 15 Min Consultation

Ready to see what we can do for your business?

Take the first step by filling out our project form below, and someone from our team will reach back to you within two business days.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.