[ianmf]

You could use a Canary / beacon. I have used this before to detect/confirm insider threats in organizations. You could create a PDF with instruction on how to view the data inside the SD. When the attacker opens the document, it would send an alert that the document has been opened.

https://canarytokens.org/generate

[giantg2]

This would be an external threat actor. Would this work over the internet?

[ianmf]

If the attacker opens the document on a computer connected to the internet, it will.

IIRC, the way it works: the document contains external resources with a unique identifier attached to the campaign, which the document viewer will attempt to connect and fetch. When the document viewer makes the request to retrieve the online resource, it will trigger the alert, collect IP, GEO information, and whatever other data it can collect.

You can use this over the internet, or host internally for internal networks without access to public internet.

[giantg2]

Awesome! This sounds great.