How to Check if Shared Documents Is Exposed: A Practical Security Audit Guide

Written by: Abigail Ivy
Published on:

How to Check if Shared Documents Is Exposed

Shared documents can become exposed through public links, overly broad permissions, misconfigured cloud settings, or accidental indexing.

This guide explains how to check if shared documents is exposed and how to verify access across Google Drive, Microsoft 365, Dropbox, and similar platforms.

What “exposed” means for shared documents

A document is exposed when people who were not intended to access it can view, download, copy, comment on, or edit it.

Exposure can be intentional, such as a public brochure, or accidental, such as a financial report shared with anyone who has the link.

Common exposure scenarios include:

  • Public web access without authentication
  • “Anyone with the link” permissions
  • External sharing with unknown domains
  • Inherited folder permissions that are broader than expected
  • Search engine indexing of publicly accessible files
  • Guest access in collaboration tools

Check the sharing settings at the source

The first place to look is the document’s own sharing panel.

Most modern platforms show exactly who can access the file, whether it is restricted, and whether link sharing is enabled.

Google Drive

  • Open the file and select Share.
  • Check whether access is set to Restricted, Anyone with the link, or Public on the web.
  • Review the list of people, groups, and domains with access.
  • Confirm whether editors can change permissions or reshare the file.

Microsoft 365 and OneDrive

  • Open the document and select Share.
  • Review whether the link is restricted to specific people, people in your organization, or anyone.
  • Check whether download is allowed.
  • Inspect sensitivity labels, expiration settings, and anonymous link policies.

Dropbox

  • Open the file or folder sharing settings.
  • Look for public link sharing, team-only access, or invite-only permissions.
  • Verify whether viewers can download or comment.
  • Check linked folders as well as the file itself.

Review folder inheritance and nested permissions

Many exposure issues happen because files inherit access from parent folders.

A document may appear private on its own, but remain exposed through a shared directory.

To check this, inspect:

  • Parent folder sharing settings
  • Subfolder permissions
  • Inherited access from shared team spaces or shared drives
  • Group memberships that grant access indirectly

In Google Workspace and Microsoft 365, folder inheritance can extend access to many files at once.

If one shared folder is too broad, every document inside it may be exposed.

Test the document from an unprivileged account

A practical way to verify exposure is to use a separate account that should not have access.

This could be a personal email, a test account, or a colleague outside the project.

Use the test account to check whether the file is accessible by:

  • Opening the direct link
  • Searching by file name if the service allows it
  • Attempting to sign in and access the file
  • Downloading the file if access is granted

If the test account can open the file without an explicit invitation, the document is exposed.

If it can only view a web preview but not download, that may still be an unwanted disclosure depending on the content.

Look for public indexing and cached copies

Some documents become visible outside the sharing platform itself.

If a file has been public, search engines or web caches may have indexed it.

Check for exposure by searching:

  • The exact document title in Google or Bing
  • Filename plus a distinctive phrase from the document
  • The file type, such as PDF, DOCX, or XLSX
  • Site-specific queries for cloud domains

Also review whether the platform allows public folder listings or anonymous file pages.

Public documents may be accessible even after sharing settings are changed, until search engine caches are refreshed.

Check audit logs and activity history

Enterprise platforms often provide audit logs that show who accessed a document, when they accessed it, and whether they shared it further.

These logs help determine whether the file has already been exposed in practice.

Look for:

  • First-time access from unfamiliar accounts
  • Downloads or mass downloads
  • Permission changes
  • Link creation and link forwarding
  • Access from unusual locations or devices

In Microsoft 365, Google Workspace, and many document management systems, audit logs can reveal whether sharing settings were changed by an owner, editor, or administrator.

Verify sensitive metadata inside the document

Exposure is not only about the file itself.

The content may contain hidden metadata that reveals authorship, internal comments, tracked changes, or prior revisions.

Inspect for:

  • Document properties and author names
  • Tracked changes and comments
  • Hidden sheets or tabs in spreadsheets
  • Embedded formulas with confidential references
  • File paths, usernames, or system data in metadata

Before sharing externally, remove metadata using built-in document inspection tools or export a clean copy in PDF when appropriate.

Confirm link behavior and access scope

Not all share links behave the same.

A link may be restricted today but later become accessible after a policy change, link reset, or domain-wide update.

Check whether the link:

  • Works without authentication
  • Allows forwarding to other users
  • Expires automatically
  • Is tied to specific recipients
  • Can be indexed or previewed publicly

If a document uses a “secret” link as the only safeguard, treat it as exposed to anyone who obtains the URL.

Link entropy is not a substitute for access control.

Use platform-specific exposure indicators

Different platforms provide different warning signs that help identify exposed files.

  • Google Drive: “Anyone with the link,” “Public on the web,” and domain-sharing indicators
  • Microsoft 365: anonymous links, external guest users, and “people you choose” settings
  • Dropbox: public link pages and shared folder visibility
  • Box: shared link permissions, open access, and collaborator roles
  • SharePoint: site-level sharing policies and inherited permissions

For regulated data, combine these indicators with classification labels, DLP alerts, and access reviews.

How to fix an exposed shared document

If you confirm exposure, reduce access immediately and then validate the change.

  1. Set sharing to restricted or invite-only.
  2. Remove anonymous links and regenerate the URL if needed.
  3. Revoke external collaborators who do not need access.
  4. Check folder-level permissions and remove broad inheritance.
  5. Update group memberships and shared drive roles.
  6. Delete cached public copies where possible.
  7. Review audit logs to confirm the exposure window.

If the document contains personal data, financial records, credentials, legal material, or intellectual property, notify the appropriate security or compliance team according to your incident process.

Prevent future document exposure

Reducing exposure risk requires a mix of policy and user behavior.

Strong defaults matter more than occasional reviews.

  • Disable public sharing unless there is a clear business need
  • Limit “anyone with the link” access
  • Require sign-in for external sharing
  • Use expiration dates for guest access
  • Apply sensitivity labels and DLP rules
  • Review shared folders on a regular schedule
  • Train users to inspect permissions before sending links

Security teams should also run periodic access reviews, monitor sharing events, and test common collaboration platforms for policy drift.

A document is only as private as the broadest permission attached to it.