Nerd Rangers

Contact Us
Contact Us
Contact Us
pexels tima miroshnichenko 5380589 1 scaled
by ShuaibsUncategorized

How We Helped a Firm Uncover and Respond to an Insider Threat

In early 2025, a mid-sized company approached Nerd Rangers with concerns about suspicious activity tied to a recently departed employee. What started as a vague hunch evolved into a full-blown forensic investigation — uncovering a months-long campaign of internal data exfiltration and competitive posturing.

This post breaks down what happened, how it happened, what our team did to identify and contain the threat, and what other businesses can do to protect themselves.

The Situation

The client, a reputable firm, suspected that a former project executive had been planning to leave and start his own company — while still employed. More troubling, there were signs he may have:
  • Redirected project work to himself
  • Sent confidential documents to a personal email account
  • Deleted critical internal communications
  • Used company devices for his new venture
    That’s when they reached out to Nerd Rangers.

    • What We Found

    Over the course of our investigation, we uncovered a pattern of covert activity dating back nearly six months:

    Forwarding of Internal Documents
    The former employee had sent over 40 internal documents — including proposals, billing spreadsheets, construction plans, and client communications — to his personal email address.
    These documents included files tied to active clients, such as:

  • Budgetary proposals
  • Client invoices
  • Project schedules and reports
  • Architectural plans delivered via external links

    • OneDrive Sync & Home IP Activity

    Using Microsoft Purview audit logs, we discovered:

  • Massive downloads from SharePoint using the OneDrive sync agent
  • Activity originating from his home IP address
  • File downloads immediately followed by emails to his personal inbox

    • Email Deletions

    After forwarding each batch of data, he routinely:

  • Soft-deleted the sent emails
  • Performed 99+ hard deletions over 5 months, making recovery nearly impossible without forensic retention

    • USB Device Usage

    We also found that he:

  • Inserted a personal USB flash drive into his company laptop
  • Had remnants of deleted OneDrive log files, suggesting active attempts to remove traces of syncing

    • Leave A Comment

    Your email address will not be published. Required fields are marked *