If there’s one place I keep finding security gaps, time and again, it’s OneDrive and SharePoint sharing.
Not firewalls.
Not MFA.
Not even email anymore.
It’s files.
Everyone assumes:
“It’s just a document. What’s the worst that can happen?”
A lot, actually.
The False Sense of Safety
Most organizations think their data is secure because:
- MFA is enabled
- Devices are compliant
- Users are licensed correctly
But then I look at sharing settings and see things like:
- Anyone with the link
- No expiration
- No access reviews
- Ex-employees still own files
At that stage, your identity security no longer matters.
Your data is already out in the open.
“Anyone With the Link” Is Not Secure
This one setting alone causes most data leaks I see. (Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware, 2025)When Anyone with the link is enabled:
- Links can be forwarded
- Links can be saved
- Links can be accessed outside your tenant
- You have no idea who opened the file
That isn’t real collaboration.
That’s just uncontrolled data sharing.
External Sharing ≠ Bad (But It Needs Rules)
I’m not saying block all external sharing. That’s unrealistic.
But unrestricted external sharing is risky when:
- There’s no expiration on links
- There’s no restriction to “specific people.”
- There’s no periodic review
- Owners don’t even know what’s shared
Secure sharing means giving access on purpose, not just for convenience.
Ownership Is a Hidden Risk
There’s something most admins overlook:
When an employee leaves, their OneDrive doesn’t magically become safe.
I’ve seen:
- Departed users still own shared files
- Critical business documents living in personal OneDrives.
- External users still have access months later
If a file is important to the business, it shouldn’t stay in someone’s personal drive forever.
Simple Steps That Actually Reduce Risk
You don’t need complex tools to fix this. Begin with the basics:
- Disable “Anyone with the link” wherever possible
- Default sharing to Specific people
- Require expiration dates for external access
- Run regular access reviews
- Move shared business data to SharePoint, not personal OneDrives.
- Monitor external sharing activity
Even just these changes can greatly reduce your risk.
Why Attackers Love Oversharing
Attackers don’t always break in anymore.
They:
- Find leaked links
- Abuse existing access
- Wait quietly
- Download everything
Oversharing gives them a front door with no hacking needed.
Final Thought
Most breaches today aren’t technical failures.
They’re permission failures. (Hassanzadeh et al., 2020)If you secure identities but ignore file sharing, it’s like protecting the lock but leaving the door open.
Secure sharing isn’t about slowing users down.
It’s about knowing who has access, why they have it, and when it should end.
If you’re not regularly reviewing OneDrive and SharePoint sharing,
that’s where I’d start.
Written by Jaspreet Singh — Microsoft identity & security practitioner. Author at ITBlogs.ca. Lab notes and testing at f11.ca.
References
(July 23, 2025). Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware. Tom's Hardware. https://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware
Hassanzadeh, A., Rasekh, A., Galelli, S., Aghashahi, M., Taormina, R., Ostfeld, A. & Banks, K. (2020). A Review of Cybersecurity Incidents in the Water Sector. arXiv:2001.11144. https://doi.org/10.48550/arXiv.2001.11144