Possible Data Exfiltration via Cloud Storage Sync Abuse

On 13 April 2026, telemetry showed user m.thornton executing SyncDrivePortable.exe on device RSCH-WS-19, compressing multiple internal project folders into large archives (review_01.zip, review_02.zip, review_03.zip) and synchronizing them to an unsanctioned cloud service (api.syncdrive-files.com, cdn.syncdrive-files.com). The account accessed directories outside the user’s normal role (legal, finance), suggesting possible insider-driven data staging or exfiltration via legitimate tools or after account compromise; additional investigation is required to determine intent and credential misuse.