By the time an attacker is exfiltrating data from Microsoft 365, traditional controls are often too late to stop the damage—but “collection” activity leaves high-signal traces if you know where to look. This discussion explains the post-compromise collection workflow in Microsoft 365 and why mailbox and SharePoint/OneDrive search make ideal tripwire points.

We’ll illustrate how to design credible canary lures in Outlook and SharePoint/OneDrive that attackers are likely to touch but normal users will ignore, and how to use native audit telemetry to reliably detect those touches while filtering out service-generated noise. Security teams will learn how to build a repeatable Alert → Pivot → Scope workflow that ties canary hits back to identity context for fast triage, and how to tune and baseline canaries in noisy production environments without drowning in false positives.