For the past couple of weeks, a user I provide support to is receiving this email from SharePoint: "Heads up! We noticed that you recently deleted a large number of files from a site."
Indeed, at least once a week, this user, who has administrator privileges, finds themselves deleting a large number of folders, presumably all empty, within 1-2 minutes. However, the user in question is certain that they neither deleted nor moved these folders (and they didn't move the files inside to another path either). There are no retention policies in the Microsoft administration panel that could automatically proceed with the deletion of this large number of folders.
I have already checked the access logs and audit logs, and there are no anomalous accesses that could suggest third-party involvement and among the audit logs, it doesn't appear that this user has deleted these folders.
I had already opened a ticket with Microsoft support. After confirming that there were no abnormal settings on SharePoint, they recommended to disconnect several devices from SharePoint. (P.S. The user use Windows OS, and the issue may not be attributable to the antivirus, as such behavior has never been observed for other users in similar conditions to this one).
So we tried to remove SharePoint synchronization from one of the two devices the user uses, but the behavior persisted.
What could be causing this anomalous deletion of this large number of folders?
- Checked the settings in the SharePoint administration panel.
- Reviewed the audit and access logs of Microsoft 365.
- Examined the audit log of SharePoint.
- Removed the synchronization of OneDrive and SharePoint on one of the user's devices.
- Ensured that the folders were empty. The checked folders that were pulled out of the recycle bin were empty. Additionally, as a test, I created empty folders around the site, and they were all deleted during one of these "waves" of deletions.