When eDiscovery becomes an exfil engine: Purview mass export abuse

Microsoft Purview eDiscovery is built to search and export across every mailbox, SharePoint, and OneDrive, which is exactly what an exfiltration actor wants, wrapped in a sanctioned compliance workflow.

How the attack works

An actor is added to the eDiscovery Manager role group, gaining cross-content search and export capability. They create a new case running a content search across all mailboxes, SharePoint, and OneDrive with broad keyword and date scope, then export the matching results to a download package. The package pulls message bodies, attachments, and documents at scale and is downloaded, removing a large cross-source data set from tenant controls. This is Email Collection, T1114, and Data from Information Repositories, T1213.

Why it works

The tooling is sanctioned and runs under a privileged role, so the activity looks like legitimate legal hold work. eDiscovery and compliance roles are powerful and often loosely assigned, and a freshly granted role spinning up an org-wide search and immediately exporting, with no matching legal matter, is the only clear tell.

How to fix it

Waiting to capture the full export package only lets the data finish leaving. Remove the actor from the eDiscovery role group, halt the running search and any in-progress export, and revoke the actor’s sessions so they cannot relaunch. Do not delete all cases, which destroys legitimate matters and evidence. For the durable fix, minimize eDiscovery and compliance role membership, require approval tied to a tracked matter to create cases, and alert on new cases, broad searches, and exports.

Practice it

We built this as a GraphLattice Range scenario so security teams can rehearse telling a legal hold from a data theft, cutting the role, and scoping the exported content set including any privileged material.