I've got a perplexing situation involving SharePoint. Audit logs indicate that a user moved and renamed over a hundred folders within a four-hour window on a Friday afternoon, between 4 and 8 PM. The logs show an internal IP address as well. The movement was almost continuous throughout that time. The user insists she didn't do anything. Has anyone experienced something like this or have any idea what might be going on?
3 Answers
It sounds pretty suspicious, especially since significant folder movements like that can sometimes be linked to ransomware activities. Typically, ransomware actors work after hours, but they don’t usually engage with SharePoint directly or rename folders. You might want to check the IP address and device health—any chance it's a known device? If you could provide specifics on what the folders were renamed to and where they were moved from, that could help clarify things.
Honestly, if the user is denying involvement despite the logs, she might be covering for something. It’s worth digging deeper into her access and behavior.
Could the user have connected to the SharePoint folder via Explorer and accidentally dragged something into a subfolder? If that's the case, depending on the size and number of files, it might take some time for those actions to sync back, which could explain the logs showing off-hours activity. It’s definitely worth checking.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures