Back to GSO Recommendations

PST Export & eDiscovery Abuse

Why this risk matters

eDiscovery searches and PST exports give users the ability to extract large volumes of email data — potentially spanning years of communications — into a single portable file. In a healthy environment, this capability is reserved for legal holds and compliance investigations. When it's triggered outside those processes, or by an account that shouldn't have access to it, it's one of the most efficient ways an attacker or malicious insider can exfiltrate bulk email data without triggering standard data loss alerts.

PST exports are particularly dangerous because the resulting file is self-contained, easily copied to external storage or cloud services, and contains full message bodies, attachments, and metadata. Unlike forwarding rules — which leak mail continuously — a PST export can capture everything in one action.

What happens if this is abused

An attacker or compromised account with eDiscovery permissions can run a content search scoped to any mailbox in the organisation — not just their own — and export the results as a PST file. This gives them access to emails, calendar items, and attachments across multiple users simultaneously.

In insider threat scenarios, a departing employee or disgruntled staff member may export their own mailbox (or others they have access to) before their account is offboarded. The resulting PST file can be quietly moved to personal cloud storage, USB, or an external email account with no further trace in standard audit logs unless audit is specifically enabled for export operations.

This technique is used in pre-termination data theft, corporate espionage, and BEC follow-on activity where an attacker wants to understand the organisation's communications before launching further attacks.

When this is expected or acceptable

Legitimate PST exports and eDiscovery searches are common in the following scenarios:

  • Legal hold or litigation support — a specific search scoped to relevant custodians and date ranges, initiated by a compliance officer or legal team
  • HR investigations — targeted exports for a specific employee's mailbox, initiated by HR or a compliance admin
  • Regulatory compliance — exports required for audit, data subject access requests, or regulatory filings
  • IT migration projects — PST exports as part of a mailbox migration or archiving project

In all legitimate cases, you should be able to identify: who initiated the search, what scope it covered, and whether it aligns with an open request or project. Exports with unusually broad scope, no supporting ticket, or initiated by non-compliance accounts are the red flag.

Checks to perform before taking action

  • In the Microsoft Purview compliance portal, review the eDiscovery search history — who created it, when, and what the search scope covers (mailboxes, date range, keywords)
  • Check whether the initiating account has a legitimate role that would require eDiscovery access (compliance officer, legal, senior HR)
  • Look at whether there is an open ticket, project, or HR/legal request that aligns with this activity
  • Review export history — has this user exported PST files before? Is this a pattern or a one-off?
  • Check the account's recent sign-in history for signs of compromise — unusual location, new device, MFA challenge failures
  • If the export was to an external location (USB, cloud storage via browser), that may be visible in Defender for Endpoint endpoint telemetry

Safe remediation steps

  1. If no legitimate business reason can be identified for the export, suspend the account immediately to prevent further data movement
  2. Revoke all active sessions for the account via Entra ID to cut off any in-progress operations
  3. Preserve the eDiscovery search and export metadata in Purview — do not delete it, as this is evidence
  4. Determine whether the PST file was successfully exported and attempt to identify where it was sent or stored
  5. If the account was compromised, follow your full account recovery process: reset credentials, re-enrol MFA, review all recent activity
  6. If this was an insider threat, escalate to HR and legal immediately — preserve all audit logs and do not tip off the user
  7. Review and tighten eDiscovery role assignments — remove access from any accounts that don't have an active, documented need for it
  8. Consider enabling Compliance Search export audit logging if not already active, so future exports are captured in detail

Overe Auto-Response: The PST Export Alert Raised alert can be configured in Overe to trigger automatic session revocation or account block when this activity is detected. Review your Auto-Response settings under Org Config > Auto-Response to determine the appropriate automated action for your environment.

Supporting documentation

Microsoft: Search for and delete email messages using eDiscovery

Microsoft: Export eDiscovery search results

Microsoft: Mailbox auditing in Exchange Online

Related risks and follow-on checks

After investigating a PST export alert, review these related risk areas:

  • Anomalous Delete Sequence — attackers sometimes delete evidence after exfiltrating data
  • Mailbox Audit Bypass — if audit bypass is enabled for the account in question, forensic coverage may be incomplete
  • Files Shared Externally — check whether the exported PST or related files were shared via SharePoint/OneDrive
  • Risky Inbox Forwarding Rules — a compromised account may have both forwarding rules and eDiscovery access active simultaneously
  • Dormant Users — if the initiating account hasn't been used recently but suddenly runs an export, this is a strong indicator of compromise
TBD CTA