Install a Web Proxy Solution

A subject uses an existing, legitimate external Web service to exfiltrate data

A subject unlawfully accesses copyrighted material, such as pirated media or illegitimate streaming sites.

A subject accesses web content that is deemed inappropriate by the organization.

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

A subject uses a messaging application to exfiltrate data through messages or uploaded media.

A subject can access the web with an organization device.

A subject is able to access external FTP servers.

A subject uses organizational resources, such as internet access, email, or work devices, for personal activities both during and outside work hours, exceeding reasonable personal use. This leads to reduced productivity, increased security risks, and the potential mixing of personal and organizational data, ultimately affecting the organization’s efficiency and overall security.

A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information.

A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://www.dropbox[.]com
• hxxps://drive.google[.]com
• hxxps://onedrive.live[.]com
• hxxps://mega[.]nz
• hxxps://www.icloud[.]com/iclouddrive
• hxxps://www.pcloud[.]com

A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://github[.]com
• hxxps://gitlab[.]com
• hxxps://bitbucket[.]org
• hxxps://sourceforge[.]net
• hxxps://aws.amazon[.]com/codecommit

A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://pastebin[.]com
• hxxps://hastebin[.]com
• hxxps://privatebin[.]net
• hxxps://controlc[.]com
• hxxps://rentry[.]co
• hxxps://dpaste[.]org

A subject may use an existing, legitimate external Web service to exfiltrate data

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully download copyrighted material.

A subject accesses a website that allows for the unauthorized streaming of copyrighted material.

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully distribute copyrighted material.

A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment.

A subject accesses unlawful pornographic material from a organization device, contravening internal policies on acceptable use of organization equipment and potentially, the law.

A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism).

A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups.

A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject can access personal webmail services in a browser.

A subject can access personal cloud storage in a browser.

A subject can access websites containing inappropriate content.

A subject can access external note-taking websites (Such as Evernote).

A subject can access external messenger web-applications with the ability to transmit data and/or files.

A subject can access websites used to access or manage code repositories.

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):

• hxxps://www.evernote[.]com
• hxxps://keep.google[.]com
• hxxps://www.notion[.]so
• hxxps://www.onenote[.]com
• hxxps://notebook.zoho[.]com

A subject can access external text storage websites, such as Pastebin.

A subject exfiltrates information using a mailbox they own or have access to, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system.

The subject transfers sensitive, proprietary, or classified information into an external generative AI platform through text input, file upload, API integration, or embedded application features. This results in uncontrolled data exposure to third-party environments outside organizational governance, potentially violating confidentiality, regulatory, or contractual obligations.

Characteristics

• Involves manual or automated transfer of sensitive data through:
• Web-based AI interfaces (e.g., ChatGPT, Claude, Gemini).
• Upload of files (e.g., PDFs, DOCX, CSVs) for summarization, parsing, or analysis.
• API calls to generative AI services from scripts or third-party SaaS integrations.
• Embedded AI features inside productivity suites (e.g., Copilot in Microsoft 365, Gemini in Google Workspace).
• Subjects may act with or without malicious intent—motivated by efficiency, convenience, curiosity, or deliberate exfiltration.
• Data transmitted may be stored, cached, logged, or used for model retraining, depending on provider-specific terms of service and API configurations.
• Exfiltration through generative AI channels often evades traditional DLP (Data Loss Prevention) patterns due to novel data formats, variable input methods, and encrypted traffic.

Example Scenario

A subject copies sensitive internal financial projections into a public generative AI chatbot to "optimize" executive presentation materials. The AI provider, per its terms of use, retains inputs for service improvement and model fine-tuning. Sensitive data—now stored outside corporate control—becomes vulnerable to exposure through potential data breaches, subpoena, insider misuse at the service provider, or future unintended model outputs.

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

Characteristics

• Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
• May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
• Often configured to throttle resource usage during business hours to evade human and telemetry detection.
• Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
• Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
• Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.