Cybersecurity

How to better detect data exfiltration events in housing associations

Table of Contents

Data exfiltration is becoming a growing concern for housing associations.

With bad actors getting smarter and focusing on credential harvesting and identity impersonation, the need to protect sensitive data is greater than ever.

Whether it’s tenant information or details about contracts, attackers are looking for ways to extract valuable data from your organisation.

We’ve already covered what data exfiltration means. This blog will walk you through how to better detect data exfiltration events before they escalate. This will help you protect your housing association’s data.

Why housing associations are targeted

detect data exfiltration

Housing associations are prime targets for several reasons.

You’re managing sensitive data. You deal with a wide range of tenants, and often undergoing mergers or working with third-party suppliers. This makes your organisation a lucrative target for cybercriminals.

We discussed this in our recent webinar on Housing Association Cybersecurity Strategy. We explored how attackers target housing associations and the steps you can take to protect your data.

Attackers use multi-layered attacks. This often starts with identity impersonation or credential theft. Once inside, they can exfiltrate data over time, making it difficult to detect in real-time. This slow-drip approach often goes unnoticed until it’s too late.

Your challenge? Spotting these events before they do any real damage.

Understanding the signs of data exfiltration

If you’re going to detect data exfiltration early, you need to knowing the warning signs. Here’s what to look out for.

Unauthorised applications

One of the first things to watch for is unauthorised applications running in your system.

Housing associations often deal with a high volume of applications. Some of these may have overly generous permissions. Attackers can exploit these, which makes it easier to steal data.

Regularly review your application permissions. Look for apps with more access than they need. Flag anything that looks unusual.


Screenshot of the Discovered Apps section in Microsoft Intune, displaying a list of installed applications on managed devices with details such as app name, publisher, version, and number of devices.
This screenshot displays the Discovered Apps screen in Microsoft Intune, where IT administrators can view all applications installed on enrolled devices.

Example: Microsoft Intune

Use case: To monitor and manage applications on enrolled devices across the organization.

How to check for unauthorised apps: In Microsoft Intune, use the Intune Management Extension to discover installed applications on managed devices.

  1. Navigate to the Microsoft Endpoint Manager admin center at https://endpoint.microsoft.com and sign in with your administrator credentials.
  2. Go to Apps > Monitor > Discovered apps.
  3. Review the list of detected applications, including their names, publishers, versions, and the number of devices on which they are installed.

This allows you to cross-reference the list of discovered applications with your organisation’s approved software list to identify any unauthorised apps.


Screenshot of the Discovered Apps screen in Microsoft Defender for Cloud Apps, showing a list of identified applications with details such as app name, risk level, and user count.
This screenshot displays the Discovered Apps screen in Microsoft Defender for Cloud Apps, where you can review a list of applications identified across your organisation.

Example: Microsoft Defender for Cloud Apps (DfCA)

Use case: To capture discovered applications within the organisation and enable administrators to sanction or unsanction them based on security and compliance policies.

How to check for unauthorised apps: In Microsoft Defender for Cloud Apps, the DfCA component identifies and logs applications that are being used across the network.

  1. Access the Defender for Cloud Apps portal and navigate to the Cloud Discovery Dashboard.
  2. Review the list of discovered applications along with their risk assessments.
  3. Administrators can then evaluate the apps, deciding to sanction (allow) or unsanction (block) based on their compliance with organisational policies.

This process helps ensure that only authorised and secure applications are used within your business environment, minimising the risk of shadow IT and potential security threats.


Unusual data movements

Data exfiltration often involves large, unusual data transfers. This could happen during off-peak hours or times when the workforce is minimal. Holiday periods are a prime example, usually seeing a 30% increase in attacks according to research.

solarwinds data exfiltration attack summary

One of the more notable examples is the SolarWinds attack right before Christmas 2020. Hackers gained entry into networks by getting more than 18,000 private and government users to download a tainted software update. Once inside, they were able to monitor internal emails at some of the top agencies in the US.

Set up alerts for out-of-the-norm data movements. For example, you see massive file transfers in the middle of the night or during long weekends. That could be a red flag.


Example: Microsoft Defender for Cloud Apps

Use case: This tool provides visibility into cloud app usage and can monitor for abnormal activities, such as large file transfers.

How to set up alerts for data movements:

  • In Microsoft Defender for Cloud Apps, go to Control Center > Alerts.
  • Set up Custom Alerts to specify the conditions that would trigger notifications, such as abnormal file transfers or activities that deviate from normal patterns.
  • You can create policies to automatically notify administrators or take action when these unusual activities occur, helping to mitigate potential data breaches or compliance issues.

Time-based evasion

Hackers aren’t just getting in and grabbing data immediately.

They know that your systems are monitoring for unusual behaviour. So, they spread out their activity over weeks or even months. This makes it harder for traditional systems to catch them.

Matt Lovell, CloudGuard CEO and cybersecurity expert, said:

Time-based evasion is one of the most sophisticated tactics we’re seeing in data exfiltration today. Attackers spread their activity over weeks or even months, making it extremely difficult to detect using traditional real-time monitoring. They know how to stay under the radar, which is why it’s critical to track patterns and anomalies over extended periods.

Watch for patterns over time. If a user is slowly pulling out data over an extended period, that’s a strong indicator something’s wrong.


Example: Azure Monitor with Azure Storage Analytics

Use case: If your data is being stored or transferred via Azure, Azure Monitor can track detailed logs about resource usage, while Storage Analytics can give insights into the use of storage accounts.

How to monitor for time-based evasion:

  • Use Azure Storage Analytics logs to track read, write, and delete operations over time.
  • Set up Azure Monitor alerts based on the logs to identify long-term patterns of access. For example, if a user is slowly downloading files from a storage account over time, you can configure alerts that trigger when access patterns become suspicious.

Absent employees

Cybercriminals are opportunistic.

They often strike when key employees are on leave or absent for other reasons. With fewer people around, there’s less chance of detection. Check out our article on Business Email Compromise attacks for an example of this in action.

phishing email example
Example of a Business Email Compromise phishing email

Out of Office messages often contain details about an employee’s absence, such as the reason for their leave or their return date. This information can be used by attackers to impersonate the absent employee or craft convincing phishing emails.

Best practices for secure out-of-office messages

  • Be brief and simply state your absence and return date.
  • Only provide general contacts by sharing a team email or phone number, not individuals.
  • Skip personal details and avoid sharing travel plans or personal info.
  • Use MFA to protect your email with multi-factor authentication.

Example of a unsecure out of office message vs a secure out of office message

Implement strict access controls and log monitoring during these periods. Knowing who has access to what and when is vital to catching unauthorised activity.

Correlating identity protection with data movement

Data exfiltration is often linked to identity theft or misuse.

That’s why correlating identity protection with data movements is crucial. You need to be able to spot if someone is trying to exfiltrate data using stolen credentials immediately.

data exfiltration attack summary on Albyn Housing

Housing associations should focus on identity protection across all touchpoints, including networks, endpoints, and applications.

Tools like SIEM (Security Information and Event Management) allow you to monitor user behaviour and flag unusual activity quickly. By correlating data movements with user identities, you can prevent attackers from blending in with normal users.

Here’s an example. If a user’s accessing sensitive data from an unusual location or device, that should trigger an alert. If you see lateral movement from one system to another without a clear reason, investigate.

Recommending a SIEM solution

For the above, we recommend the Microsoft Sentinel SIEM solution. It offers several key advantages to housing associations.

Diagram of the integration of Microsoft Sentinel and Microsoft XDR.
Diagram of the integration of Microsoft Sentinel and Microsoft XDR for endpoint protection
  • Sentinel collects data across your entire organisation, including cloud, on-premises, and hybrid environments. This gives you a complete view of potential threats.
  • Microsoft Sentinel uses AI and machine learning to detect suspicious activity, helping you catch data exfiltration attempts early.
  • Sentinel allows you to automate incident responses, reducing the time it takes to mitigate risks and their potential impact.
  • It easily integrates with existing Microsoft services like Azure Active Directory and Defender, streamlining identity correlation and threat analysis.
  • Sentinel is built to scale with your organisation. It provides the flexibility needed as your housing association grows.

Microsoft Sentinel was also named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management.

The importance of baselines

You need to know what ‘normal’ looks like in your organisation before you can detect data exfiltration.

That’s where baselines come in. By creating a baseline of usual user behaviour and data access, you’ll be able to set clear tolerance levels.

Start by monitoring how employees interact with your data daily. Over time, you’ll be able to spot anomalies like sudden spikes in data access or new applications being installed without approval.

Once you’ve established a baseline, configure your security systems to flag anything that falls outside of it. This can be especially useful for detection slow exfiltration attempts, where hackers pull out data in small chunks to avoid detection.

Javid Khan, Chief Technology Officer and cyber technology expert said:

Baselines are the cornerstone of our security strategy. They provide a clear understanding of typical user behaviour, enabling us to detect deviations that may indicate a security threat. In a world where attackers continuously adapt, having a solid foundation allows us to stay one step ahead and protect our customers’ most valuable data.

We use Microsoft Defender. Here, you can establish baselines by monitoring users’ normal behaviour patterns.

This allows Defender to automatically detect and flag any unusual or suspicious activity that deviates from these norms.

We’ve also integrated Microsoft Defender into Microsoft Sentinel to enhance detection by correlating identity-based insights with broader security events across your organisation.

Insider threats

While much of the focus is on external threats, insider threats are just as dangerous.

Whether it’s an employee with too much access or someone intentionally leaking data, insider threats are tricky to manage.

download the insider threat attack security checklist

Regularly audit permissions and access levels. Ensure that employees only have access to the data they need for their roles. Pay attention to high-risk users. These are usually people in senior positions, finance, or IT roles who have access to sensitive information.

Monitoring user behaviour can help here too. If someone’s accessing data outside of their usual scope or downloading files they shouldn’t be, it’s time to investigate.

Managing API permissions and third-party risks

API permissions are a growing target for attackers.

A prime example of this is the faulty Peloton API that allowed unauthenticated access to user data.

data exfiltration attack summary on peleton

Like Peleton, many housing associations use third-party apps and services to manage day-to-day operations. These apps often have access to sensitive data.

Regularly review your API permissions. Ensure that any third-party applications only have the permissions they absolutely need.

This is particularly important after mergers or acquisitions, where third-party apps from one entity may still be connected to another.

You should also look at the supply chain.

Often, third-party suppliers are granted access to housing association data. After contracts end or suppliers are replaced, this access should be revoked immediately. If not, it leaves a dangerous security gap that attackers can exploit.

6 ways to better detect data exfiltration in housing associations

  • Regularly review and limit application permissions.
  • Flag large or unexpected transfers, especially during off-hours. API permissions
  • Correlate user identities with data access to catch misuse.
  • Establish normal behaviour baselines to detect anomalies.
  • Audit permissions regularly and monitor high-risk users to minimise insider threat risks
  • Secure your API permissions and limit third-party access. Remember to review permissions after mergers or contract changes.

download the data exfiltration security checklist

Summary

Data exfiltration is a serious threat to housing associations.

The good news? With the right tools and strategies in place, you can detect data exfiltration and stop these attacks before they cause significant damage. The key is being proactive. Monitoring unauthorised applications, setting up baselines, and correlating data access with user identities.

By taking these steps, you can better protect your organisation’s most sensitive data.

Stay vigilant. The more you can spot and prevent these attacks early, the more secure your housing association will be.

Confident you can detect data exfiltraiton? Read our next article on improving your data exfiltration incident response.

Want to learn more?

housing association cybersecurity strategy webinar

Watch our Housing Association Cybersecurity Strategy webinar on-demand.

Author: Thomas Shelton
Share:
Author: Thomas Shelton
Share:

Related Resources

two men talking on a podcast posted on linkedin with a red arrow pointing towards a deepfake
Why Social Engineering Always Works: How Hackers Use Phishing & Deepfakes
We’ve all done the training, so why are attackers still getting through? Attackers no longer rely on bad spelling or suspicious links, they use AI-generated deepfakes and psychological profiling to manipulate people with astonishing precision. By exploiting the brain’s emergency response system, they trigger fear, urgency, or authority to override...
Dark purple background with claude logo and words pro, team and enterprise.
Claude Business Security: Choosing the Right Account for SMBs
When I shared my last article, a few people got in touch asking for a more practical follow-up, specifically around how small teams can use Claude Pro without putting business data at risk. This piece goes step by step through exactly that. Understand what you’re actually adopting Claude Pro is...
Two analysts looking surprised. Purple cyber background with phishing hook.
What Happens After a Phishing Attack? A Real Microsoft 365 Incident Walkthrough
If your organisation thinks a password reset or MFA alone are enough, think again. In this phishing attack breakdown by CloudGuard’s SOC team, Conor and Jon reveal the reality behind an actual breach involving a UK law firm, exposing how hackers use four methods to regain access long after initial...
purple background with computer that says threat from the field in cartoon like design
Cyber Threat Trends Q1 2026: Data Theft, AI Attacks and Emerging Risks
Executive Summary Every 90 days, we review the latest cyber threat trends to identify what IT leaders should learn, where resilience gaps are widening, and what practical actions organisations should take next.  The first quarter of 2026 has been intense. The UK threat picture is not defined by one single...
Microsoft Defender for Cloud
Microsoft Defender for Cloud Cloud environments change fast. New workloads, new services and new risks appear daily, often without full visibility or clear ownership. Microsoft Defender for Cloud provides continuous assessment across Azure, hybrid and multi-cloud environments to help organisations understand and reduce cloud security risk. CloudGuard ensures your cloud...
Woman looking at tablet with cyber imagery across the top.
The Limitations of External Penetration Testing (And What to Do About Them)
Core argument  Traditional internal penetration tests gives executives false confidence because it’s typically scope-limited, scheduled, doesn’t reflect real attacker behaviour and ignores the AI threats with user access. Would you feel comfortable boarding a plane if the pilot had practised emergency landings but had never actually simulated an engine failure?  So, why do businesses specifically exclude their...
CloudGuard logo and Stonewater Housing logo on a pastel purple background
Stonewater Housing Achieves 24/7 Security Monitoring Without Expanding Its IT Team
Image of man with half blue face on left and half red face on right. £20 notes falling in the background.
Date | Time: 24/03/2026 | 12:00 pm
[On Demand] The AI-Enabled Insider Threat: When Trusted Access Becomes Competitive Advantage
Your most trusted employees can now distil years of institutional knowledge in days, sometimes without realising the risk they’re creating. Insider risk has fundamentally changed. We’re past the days of someone copying files onto a USB stick. Today, trusted employees are using AI tools to summarise reports, analyse strategy documents,...
Continuous Security Validation: How to Prove Your Cybersecurity Controls Actually Work
Core argument CISOs are increasingly measured not by the security they implement, but by the breaches they fail to prevent. Most cybersecurity investments create a false sense of protection because they’re never truly tested under realistic conditions.  Zero trust applied new controls but the new wave of Agentic AI solutions will fundamentally...
Get In Touch

Our Cybersecurity Services Can Instantly Improve Your Business’ Security Posture

Complete the form to find out more about any of our one-off or managed cybersecurity services. Not seeing what you’re looking for? Our cybersecurity consultants and MXDR experts are always on-hand to provide the guidance and support you need.