Microsoft Exchange Message Trace

A subject uses electronic mail to exfiltrate data. This can be achieved through including data in the email subject line or body, or utilizing email attachments to send files.

A subject engages in unauthorized conduct that amounts to harassment or discriminatory behavior within the workplace, targeting individuals or groups based on protected characteristics, such as race, gender, religion, or other personal attributes. Incidents of harassment and discrimination may expose the organization to legal risks, potential reputational damage, and regulatory penalties. Additionally, individuals affected by such behavior may be at higher risk of retaliating or disengaging from their work, potentially leading to further insider risks.

A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.

Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.

Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves.

A subject uses organization-managed communication channels to send, distribute, or amplify messages that violate acceptable use expectations, undermine workplace safety, damage operational trust, or create legal, reputational, or personnel risk. This may occur through email, enterprise messaging platforms, collaboration tools, internal forums, ticketing systems, shared document comments, or other corporate communication environments.

A subject exfiltrates information using their corporate-issued mailbox, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system.

A subject exfiltrates information using a mailbox they own or have access to, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system.

The subject creates an email forwarding rule to transport any incoming emails from one mailbox to another.

The subject deliberately deletes emails - either sent, received, or both - with the intent to obstruct investigative visibility, remove evidence of policy violations, or eliminate traces of communication relevant to an insider event. While routine inbox maintenance is common, patterns of targeted deletion may indicate purposeful concealment.

A subject distributes extremist, radicalizing, terrorist-supportive, or ideologically violent material through organization-managed communication channels. This may include propaganda, manifestos, violent ideological imagery, symbols associated with extremist organizations, recruitment material, or communications endorsing politically, religiously, racially, or ideologically motivated violence.

A subject distributes offensive, graphic, obscene, degrading, or inflammatory material through organization-managed communication channels. This may include content that violates acceptable use expectations, disrupts workplace operations, damages team trust, or creates legal, reputational, or personnel risk.

A subject uses corporate communication channels to send, request, display, or distribute sexually explicit, obscene, or otherwise inappropriate material unrelated to legitimate business activity. This may include explicit images, sexualized comments, unwanted personal advances, or inappropriate jokes distributed through work systems.

A subject uses organization-managed communication channels to send hostile, abusive, coercive, intimidating, or threatening messages to another individual or group. This may include direct insults, aggressive language, repeated disparagement, intimidation, implied retaliation, coercive demands, or threats of professional, personal, or physical harm.