Files Shared Externally: Data Exposure via Anonymous Links & Guest Access

External file sharing through Microsoft 365 — via anonymous links or guest user invitations — is a routine and legitimate feature. It is also one of the most common ways sensitive data leaves an organisation without clear audit trails, oversight, or the ability to revoke access after the fact.

Overe detects when files are shared externally using anonymous links or guest user access. Anonymous links in particular present a high risk because they require no authentication — anyone with the link can access the file, and the link may be forwarded, shared, or indexed without the original sharer's knowledge or consent.

The risk is not that external sharing happened, but that it is often done without considering the sensitivity of the content, the intended audience, or how long the link will remain active.

• Sensitive internal document shared via an anonymous link forwarded by the recipient to unauthorised parties
• Anonymous link to a financial report, client proposal, or technical document indexed by a search engine
• Attacker who has compromised a user account uses external sharing to exfiltrate large volumes of data before the account is locked
• Guest user access to a SharePoint folder remains active long after the original sharing reason is resolved
• Bulk external sharing across multiple sites by a compromised or malicious insider before detection

External sharing is expected and legitimate for client deliverables, vendor collaboration, and public documentation. What makes it acceptable is proportionality — the right files shared with the right people for a defined period.

Anonymous link sharing carries higher risk than authenticated guest sharing because it requires no identity verification. For sensitive files, authenticated sharing with a defined expiry date is preferable. Anonymous links are more acceptable for genuinely public-facing content where the audience is intentionally unrestricted.

Before acting on an external sharing alert:

• Identify what was shared, with whom (anonymous link or specific guest), and when
• Confirm whether the file contains sensitive content — financial data, PII, client information, or technical IP
• Check whether the sharing was intentional and whether the user can identify the intended recipient
• Review whether the link has an expiry date or whether it is set to persist indefinitely
• Check whether the user account shows any signs of compromise around the time of the sharing event
• Review Overe for other alerts tied to the same user — forwarding rules, deletion events, or unusual sign-ins

1. Use Overe to review external sharing events across the tenant, filtered by anonymous links and sensitive content locations
2. For anonymous links to sensitive files, revoke the link immediately if the sharing was not intentional or the content is sensitive
3. For guest user sharing, confirm whether the guest still requires access and set an expiry if not already configured
4. For sharing events from potentially compromised accounts, revoke sessions and investigate the account
5. Review organisational sharing settings — consider disabling anonymous link creation for sensitive document libraries
6. Overe can automatically revoke sessions when a File Shared Externally alert fires — configure auto-response in Org Config > Auto-Response

Microsoft: Manage sharing settings in SharePoint - https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off

Microsoft: Best practices for sharing files with unauthenticated users - https://learn.microsoft.com/en-us/microsoft-365/solutions/best-practices-anonymous-sharing

Microsoft: Manage OneDrive sharing settings - https://learn.microsoft.com/en-us/onedrive/manage-sharing

• Guest users with risky access
• Inactive guest users
• PST export and eDiscovery abuse
• Anomalous delete sequence