eDiscovery searches and PST exports give users the ability to extract large volumes of email data — potentially spanning years of communications — into a single portable file. In a healthy environment, this capability is reserved for legal holds and compliance investigations. When it's triggered outside those processes, or by an account that shouldn't have access to it, it's one of the most efficient ways an attacker or malicious insider can exfiltrate bulk email data without triggering standard data loss alerts.
PST exports are particularly dangerous because the resulting file is self-contained, easily copied to external storage or cloud services, and contains full message bodies, attachments, and metadata. Unlike forwarding rules — which leak mail continuously — a PST export can capture everything in one action.
Legitimate PST exports and eDiscovery searches are common in the following scenarios:
In all legitimate cases, you should be able to identify: who initiated the search, what scope it covered, and whether it aligns with an open request or project. Exports with unusually broad scope, no supporting ticket, or initiated by non-compliance accounts are the red flag.
Overe Auto-Response: The PST Export Alert Raised alert can be configured in Overe to trigger automatic session revocation or account block when this activity is detected. Review your Auto-Response settings under Org Config > Auto-Response to determine the appropriate automated action for your environment.
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
After investigating a PST export alert, review these related risk areas: