diff --git a/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log
new file mode 100644
index 00000000..682f6ddf
--- /dev/null
+++ b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ef3b8cc321fed3031bca6d16d4c35e7de3112ab40ea08f2fca02879a065d8774
+size 503181
diff --git a/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml
new file mode 100644
index 00000000..a27cd3a1
--- /dev/null
+++ b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml
@@ -0,0 +1,13 @@
+author: Steven Dick
+id: a5b98f63-2116-4f7d-bd46-228872bc79f8
+date: '2025-01-28'
+description: 'Sample of events when an actor attempts to exfiltrate data from sharepoint using various methods.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://attack.mitre.org/techniques/T1567/exfil
+- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data
+- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/
\ No newline at end of file