Means
Ability to Modify Cloud Resources
Access
Aiding and Abetting
Asset Control
Bluetooth
Bring Your Own Device (BYOD)
Clipboard
FTP Servers
Installed Software
Media Capture
Network Attached Storage
Physical Disk Access
Placement
Printing
Privileged Access
Removable Media
Screenshots
Sensitivity Label Leakage
SMB File Sharing
SSH Servers
System Startup Firmware Access
Unrestricted Software Installation
Unrevoked Access
Web Access
- ID: ME023
- Created: 22nd April 2025
- Updated: 28th April 2025
- Platforms: Android, iOS, Windows, Linux, MacOS,
- Contributor: Ryan Bellows
Sensitivity Label Leakage
Sensitivity label leakage refers to the exposure or misuse of classification metadata, such as Microsoft Purview Information Protection (MIP) sensitivity labels, through which information about the nature, importance, or confidentiality of a file is unintentionally or deliberately disclosed. While the underlying content of the document may remain encrypted or otherwise protected, the presence and visibility of sensitivity labels alone can reveal valuable contextual information to an insider.
This form of leakage typically occurs when files labeled with sensitivity metadata are transferred to insecure locations, shared with unauthorized parties, or surfaced in logs, file properties, or collaboration tool interfaces. Labels may also be leaked through misconfigured APIs, email headers, or third-party integrations that inadvertently expose metadata fields. The leakage of sensitivity labels can help a malicious insider identify and prioritize high-value targets or navigate internal systems with greater precision, without needing immediate access to the protected content.
Examples of Use:
- An insider accesses file properties on a shared drive to identify documents labeled Highly Confidential with the intention of exfiltrating them later.
- Sensitivity labels are exposed in outbound email headers or logs, revealing the internal classification of attached files.
- Files copied to an unmanaged device retain their label metadata, inadvertently disclosing sensitivity levels if examined later.
Prevention
| ID | Name | Description |
|---|---|---|
| PV012 | End-User Security Awareness Training | Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others. |
| PV016 | Enforce a Data Classification Policy | A Data Classification Policy establishes a standard for handling data by setting out criteria for how data should be classified and subsequently managed and secured. A classification can be applied to data in such a way that the classification is recorded in the body of the data (such as a footer in a text document) and/or within the metadata of a file. |
| PV003 | Enforce an Acceptable Use Policy | An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks. |
| PV001 | No Ready System-Level Mitigation | This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system. |
Detection
| ID | Name | Description |
|---|---|---|
| DT048 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |