Microsoft Graph sensitive keyword search
Description
AlphaSOC detected a Microsoft Graph API search query containing keywords associated with sensitive information, such as credentials, secrets, passwords, or other confidential terms. Threat actors who gain access to a Microsoft 365 environment may use the Graph API to systematically search SharePoint, OneDrive, Teams messages, and email for sensitive data to exfiltrate or leverage for further compromise.
Impact
Attackers with valid Entra credentials can use the Graph API's search capabilities to locate sensitive files, credentials stored in documents, configuration secrets, or confidential business information across all content a user has access to. Discovery of such materials can enable privilege escalation, credential reuse attacks, and targeted exfiltration of high-value data. This technique is particularly effective in organizations that store sensitive information in unprotected Microsoft 365 content.
Severity
| Severity | Condition |
|---|---|
Low | Graph API search using sensitive keywords |
Investigation and Remediation
Review the Graph API audit logs and Entra sign-in logs for the user account that performed the search, including the specific query terms, time of access, and originating IP address. Verify whether the activity was expected for that user's role and workflow. If unauthorized, revoke active sessions, reset credentials, and review accessed content for signs of data exfiltration. Implement Microsoft Purview sensitivity labels and Data Loss Prevention policies to limit exposure of sensitive data.