Microsoft Teams Admin Center Meeting and Call History

A subject engages in unauthorized conduct that amounts to harassment or discriminatory behavior within the workplace, targeting individuals or groups based on protected characteristics, such as race, gender, religion, or other personal attributes. Incidents of harassment and discrimination may expose the organization to legal risks, potential reputational damage, and regulatory penalties. Additionally, individuals affected by such behavior may be at higher risk of retaliating or disengaging from their work, potentially leading to further insider risks.

An individual or individuals knowingly assist a subject to gain access to devices, systems, or services that hold sensitive information, or otherwise contravene internal policies.

A subject deceptively manipulates and/or persuades others in order to gain access to devices, systems or services that hold sensitive information, or to otherwise cause harm or undermine a target organization.

Exfiltration via automated transcription refers to the capture and conversion of spoken information into structured, persistent data through the use of transcription technologies, including AI-enabled note-taking tools, meeting assistants, and speech-to-text systems.

Unlike traditional media capture techniques, this behavior does not merely reproduce information, it transforms ephemeral verbal communication into searchable, shareable, and analyzable content. This significantly increases the utility and scalability of exfiltrated data, enabling subjects to accumulate large volumes of sensitive information over time with minimal manual effort.

This technique may occur using external tools operating outside organizational control or through misuse of approved or embedded transcription capabilities within enterprise platforms. As a result, it spans both out-of-band and in-band exfiltration paths, making it distinct from media capture behaviors.

In addition to software-based transcription tools, subjects may leverage dedicated or repurposed hardware to capture audio streams for later transcription or processing. This includes the use of intermediary devices capable of intercepting microphone input or headphone output, such as inline audio capture adapters, modified peripherals, or secondary recording devices connected to audio interfaces.

These methods enable the subject to capture high-quality audio directly from system inputs or outputs without relying on visible applications or introducing detectable software artifacts. In such cases, audio may be recorded covertly and later processed through transcription tools outside the organizational environment, further separating the point of capture from the point of transformation and exfiltration.

Exfiltration via automated transcription is particularly effective in environments where sensitive information is frequently communicated verbally, including strategic discussions, incident response, legal proceedings, and technical collaboration. The presence of this behavior may indicate deliberate collection of high-value conversational intelligence, especially where transcription outputs are retained, aggregated, or transferred beyond approved boundaries.

From an investigative perspective, this technique introduces a shift from event-based capture to continuous collection, where subjects build structured datasets over time. Detection therefore relies on identifying tool usage, data flows, and the presence of generated artifacts, rather than isolated capture events.

A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization.