Microsoft 365 In-Motion

INFORMATION RISK & EXPOSURE REPORT

Where your data lives, moves, and leaks.

A monthly read on Microsoft 365 information risk — what's sensitive, who's moving it, where it's exposed, and what to fix first.

📅  Reporting period — June 2026
3.9K
High-severity incidents
168
Top risky users flagged
104
Mass-download incidents
M365 IN-MOTION · JUNE 2026

SECTION 01 — KEY FINDINGS

Three signals worth a closer look

Automated policies scan every file, message and share across Microsoft 365. This period, three patterns stood out.

01 / 11
3.9K

High Severity Incidents

Policy — Justification requests sent to users who generate high-severity information risks.
168

Top Risky Users

Policy — Weekly email alerts to your organization's highest-risk users.
104

Mass Download Incidents

Policy — Triggers compliance-oriented email alerts.

Each of these is broken down by information category on the next two slides — high-severity incidents trace back to Financial, Legal, HR, Governance and Business data, while mass-download alerts concentrate heavily in Business and HR.

M365 IN-MOTION · JUNE 2026
Page 1 of 11

KEY FINDING 01 — DETAIL

3.9K high-severity incidents, by category

Five information categories account for this period's high-severity volume — shown here against each category's full Low / Medium / High mix.

02 / 11
Financial
1.0K
Legal
269
HR
1.2K
Governance
61
Business
1.3K
High Medium Low share of total flagged events, by category
Business
6,982 events
Legal
6,016 events
HR
4,749 events
Financial
2,077 events
Governance
782 events

Financial data carries the highest risk concentration: 50.4% of flagged financial events are high-severity, versus 4.5% for Legal — the lowest-risk category despite having the second-largest volume.

M365 IN-MOTION · JUNE 2026
Page 2 of 11

KEY FINDING 03 — DETAIL

104 mass-download incidents, by category

Unusually large download activity, flagged per information category this period.

03 / 11
Financial
11
Legal
14
HR
33
Governance
4
Business
42
HOW THIS COMPARES TO HIGH-SEVERITY INCIDENTS
Business
42
HR
33
Legal
14
Financial
11
Governance
4

Business and HR together drive 72% of all mass-download incidents (75 of 104) — the same two categories that also lead in overall data volume on the next slide.

M365 IN-MOTION · JUNE 2026
Page 3 of 11

SECTION 02 — WHAT IS YOUR INFORMATION

324.7K records mapped, by category

Total sensitive & personal information identified across Microsoft 365 this period, broken down by category.

04 / 11
Personal
159.4K
HR
68.5K
Business
54.3K
Legal
24.3K
Financial
13.6K
Governance
4.6K

Personal information alone makes up 49% of everything mapped this period, ahead of HR (68.5K) and Business (54.3K).

M365 IN-MOTION · JUNE 2026
Page 4 of 11

SECTION 02 — DETAIL

What's inside each category

Top sub-types by record count within each information category.

05 / 11

Financial

June 2026
  • Salaries Information4,041
  • Accounting2,894
  • Financial Reports & Planning1,732
  • Banks1,708
  • Employee Costs & Expenditure881
+8 more

Legal

June 2026
  • Legal Letters9,379
  • Agreements9,050
  • Compliance & Assessment Forms4,267
  • Consent Forms1,194
  • Incorporation Documents308
+7 more

HR

June 2026
  • Recruitment41,408
  • Employee Information11,444
  • Diplomas6,452
  • HR Forms1,384
  • Discipline679
+6 more

Governance

June 2026
  • Regulatory Compliance3,577
  • Compliance & Assessment Reports198
  • Board Meetings & Resolutions175
  • Audit Reports158
  • Committee Agendas146
+8 more

Business

June 2026
  • Customers & Suppliers28,674
  • Tenders & Bids10,214
  • Guides6,260
  • Operational Specifics2,800
  • Project Information1,593
+19 more
M365 IN-MOTION · JUNE 2026
Page 5 of 11

SECTION 02 — PERSONAL INFORMATION

PII, PCI, PFI & sensitive personal data

Regulated personal-data identifiers, and personal information that overlaps with another sensitive category — each split by Low / Medium / High severity.

06 / 11

Contains PFI

Out of 17 total events
H 0M 4L 13

Contains PII

Out of 6,421 total events
H 941M 577L 4,903

Contains PCI

Out of 24 total events
H 12M 0L 12
SENSITIVE PERSONAL INFORMATION

Financial

Out of 220 total events
H 200M 11L 9

HR

Out of 1,896 total events
H 1,000M 400L 496

Legal

Out of 108 total events
H 33M 20L 55

Personal

Out of 2,037 total events
H 240M 64L 1,733

Personal information crossing into Financial records is almost entirely high-severity (200 of 220 events) — a small volume, but the riskiest overlap on this slide.

M365 IN-MOTION · JUNE 2026
Page 6 of 11

SECTION 03 — WHERE INFORMATION LIVES

Sensitive data by Microsoft 365 app

Share of all identified sensitive information, by hosting application.

07 / 11
4 apps in scope
38.8%OneDrive
30.9%SharePoint
29.0%Exchange
1.3%Teams

OneDrive and SharePoint together hold 70% of sensitive data — personal drives and document libraries, not email, are where most exposure risk sits.

M365 IN-MOTION · JUNE 2026
Page 7 of 11

SECTION 04 — INFORMATION IN MOTION

Where sensitive information is shared

Sharing events this period, by direction and information category. Darker cells mean higher volume.

08 / 11
Shared by Employees 1K1K2K7682K3K
Shared to Employees 2K2K3K2K3K4K
Shared to Organizations 3427202K1112K2K
Shared to External Contacts 2K3K11K69911K16K
Fewer eventsMore events

External contacts receive the heaviest sharing across nearly every category — including 16K Personal and 11K each for HR and Business — far above any internal channel.

M365 IN-MOTION · JUNE 2026
Page 8 of 11

SECTION 04 — DETAIL

A closer look: PDF exposure

Same four sharing directions, filtered to PDF files only.

Filtered · PDF files · June 2026
09 / 11

Shared By Employees

Financial690
Legal37
HR231
Governance21
Business510
Personal261

Shared To Employees

Financial1,315
Legal111
HR716
Governance89
Business1,755
Personal400

Shared To External Contacts

Financial1,010
Legal24
HR189
Governance19
Business537
Personal209

Shared To Organizations

Financial136
Legal10
HR48
Governance8
Business140
Personal33
M365 IN-MOTION · JUNE 2026
Page 9 of 11

SECTION 05 — RECOMMENDATIONS

Where to focus next

Five actions, drawn directly from this period's data.

10 / 11
1

Automate justification requests for high-risk users

Turn on the playbook that asks users to justify activity the moment it crosses a high-severity threshold — covering the 3.9K incidents this period.

2

Apply Microsoft Purview labels at the source

Auto-apply sensitivity labels (MPIP) to information as it's created or shared, prioritizing the Legal and Governance categories.

3

Review the 104 mass-download incidents

Business (42) and HR (33) account for 72% of this period's alerts — start there.

4

Tighten sharing to external contacts

This is the largest single exposure channel for Personal (16K), HR and Business (11K each) — worth a dedicated DLP rule.

5

Check in on the 168 flagged users

Weekly alerts already surface your highest-risk users — pair that list with a manager-level review this month.

M365 IN-MOTION · JUNE 2026
Page 10 of 11

SUMMARY

June, in three numbers.

324.7K records mapped, four apps carrying nearly all of it, and a handful of categories driving almost every incident. The detail is in the slides — the priorities are on the page before this one.

3.9K
High-severity incidents
168
Top risky users flagged
104
Mass-download incidents
Personal · 159.4KHR · 68.5KBusiness · 54.3KLegal · 24.3KFinancial · 13.6KGovernance · 4.6K
M365 IN-MOTION · JUNE 2026
Page 11 of 11
01 / 12