You could use a Canary / beacon. I have used this before to detect/confirm insider threats in organizations. You could create a PDF with instruction on how to view the data inside the SD. When the attacker opens the document, it would send an alert that the document has been opened.https://canarytokens.org/generate
giantg2|4 years ago
ianmf|4 years ago
IIRC, the way it works: the document contains external resources with a unique identifier attached to the campaign, which the document viewer will attempt to connect and fetch. When the document viewer makes the request to retrieve the online resource, it will trigger the alert, collect IP, GEO information, and whatever other data it can collect.
You can use this over the internet, or host internally for internal networks without access to public internet.