PST Export & eDiscovery Abuse

Why this risk matters

eDiscovery searches and PST exports give users the ability to extract large volumes of email data — potentially spanning years of communications — into a single portable file. In a healthy environment, this capability is reserved for legal holds and compliance investigations. When it's triggered outside those processes, or by an account that shouldn't have access to it, it's one of the most efficient ways an attacker or malicious insider can exfiltrate bulk email data without triggering standard data loss alerts.

PST exports are particularly dangerous because the resulting file is self-contained, easily copied to external storage or cloud services, and contains full message bodies, attachments, and metadata. Unlike forwarding rules — which leak mail continuously — a PST export can capture everything in one action.

What happens if this is abused

  • Attacker with eDiscovery permissions runs a content search scoped across all mailboxes and exports results as a PST, capturing years of communications in one operation
  • Resulting PST file is self-contained and portable — easily moved to USB, personal cloud storage, or an external email account with no further log trace after export
  • Departing employee exports their own mailbox (or those they have delegate access to) before offboarding, taking client contacts, financial data, or confidential communications
  • Targeted keyword search — salary, acquisition, contract, merger — used to extract only high-value communications before exporting
  • PST export used in the follow-on phase of a broader compromise to map communications before launching BEC or impersonation attacks
  • Multiple mailboxes searched and exported simultaneously, enabling cross-functional data collection in a single operation
  • Export activity not visible to standard email security tools — full visibility requires specific compliance audit logging settings enabled in advance
  • eDiscovery access granted during a legitimate project and never revoked, leaving a privileged capability open to anyone who later compromises that account

When this is expected or acceptable

Legitimate PST exports and eDiscovery searches are common in the following scenarios:

  • Legal hold or litigation support — a specific search scoped to relevant custodians and date ranges, initiated by a compliance officer or legal team
  • HR investigations — targeted exports for a specific employee's mailbox, initiated by HR or a compliance admin
  • Regulatory compliance — exports required for audit, data subject access requests, or regulatory filings
  • IT migration projects — PST exports as part of a mailbox migration or archiving project

In all legitimate cases, you should be able to identify: who initiated the search, what scope it covered, and whether it aligns with an open request or project. Exports with unusually broad scope, no supporting ticket, or initiated by non-compliance accounts are the red flag.

Checks to perform before taking action

  • In the Microsoft Purview compliance portal, review the eDiscovery search history — who created it, when, and what the search scope covers (mailboxes, date range, keywords)
  • Check whether the initiating account has a legitimate role that would require eDiscovery access (compliance officer, legal, senior HR)
  • Look at whether there is an open ticket, project, or HR/legal request that aligns with this activity
  • Review export history — has this user exported PST files before? Is this a pattern or a one-off?
  • Check the account's recent sign-in history for signs of compromise — unusual location, new device, MFA challenge failures
  • If the export was to an external location (USB, cloud storage via browser), that may be visible in Defender for Endpoint endpoint telemetry

Safe remediation steps

  1. If no legitimate business reason can be identified for the export, suspend the account immediately to prevent further data movement
  2. Revoke all active sessions for the account via Entra ID to cut off any in-progress operations
  3. Preserve the eDiscovery search and export metadata in Purview — do not delete it, as this is evidence
  4. Determine whether the PST file was successfully exported and attempt to identify where it was sent or stored
  5. If the account was compromised, follow your full account recovery process: reset credentials, re-enrol MFA, review all recent activity
  6. If this was an insider threat, escalate to HR and legal immediately — preserve all audit logs and do not tip off the user
  7. Review and tighten eDiscovery role assignments — remove access from any accounts that don't have an active, documented need for it
  8. Consider enabling Compliance Search export audit logging if not already active, so future exports are captured in detail

Overe Auto-Response: The PST Export Alert Raised alert can be configured in Overe to trigger automatic session revocation or account block when this activity is detected. Review your Auto-Response settings under Org Config > Auto-Response to determine the appropriate automated action for your environment.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.
  • Windows Device Security Audit and Event Logging — Captures detailed Windows security events to support threat detection, investigation, and compliance.
  • Block High-Risk Users — Creates a Conditional Access Policy that prevents any user categorized as 'High Risk' from signing in.

Related risks and follow-on checks

After investigating a PST export alert, review these related risk areas:

  • Anomalous Delete Sequence — attackers sometimes delete evidence after exfiltrating data
  • Mailbox Audit Bypass — if audit bypass is enabled for the account in question, forensic coverage may be incomplete
  • Files Shared Externally — check whether the exported PST or related files were shared via SharePoint or OneDrive
  • Risky Inbox Forwarding Rules — a compromised account may have both forwarding rules and eDiscovery access active simultaneously
  • Dormant Users — if the initiating account hasn't been used recently but suddenly runs an export, this is a strong indicator of compromise
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.