The whole SharePoint left through Graph
Once an attacker holds broad Microsoft Graph access, your SharePoint and OneDrive are just an API away. No malware, no download click, gigabytes of documents gone. Here is the exfil path, and the fix.
There is no endpoint to catch this one. The documents leave through the same API your apps use all day.
What it is
Microsoft 365 stores the organization’s documents in SharePoint and OneDrive, all reachable through the Microsoft Graph API. An attacker with a compromised privileged user, or an OAuth app granted broad Sites.Read.All / Files.Read.All, enumerates every site and drive and downloads content in bulk, programmatically. This is T1078 (valid accounts) with T1213 (data from information repositories) and T1567 (exfiltration over a web service).
Why it works
Graph is the normal way apps read M365 data, so bulk reads can blend in, and an application-scope grant survives the user’s password reset. Nothing runs on an endpoint to detect.
How to detect it
In the unified audit log, look for FileDownloaded and FileSyncDownloaded at high volume, broad site enumeration, and a newly consented app with Sites or Files application permissions, from an identity or app that does not normally bulk-read.
The fix that holds
Restrict app consent (require admin approval), least-privilege Graph permissions, and alert on bulk downloads and broad app grants. Apply conditional access to workload identities, use sensitivity labels with DLP, and limit who holds broad SharePoint administration. Treat a bulk pull as a data breach.
Practice it
We built a SharePoint and OneDrive mass-exfiltration scenario in GraphLattice Range so teams learn to catch the Graph-driven pull and scope the exposure.