Preparation
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Impersonation
Increase Privileges
IT Ticketing System Exploration
Joiner
Mover
Network Scanning
On-Screen Data Collection
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
VPN Usage
- ID: PR018.007
- Created: 17th April 2025
- Updated: 22nd April 2025
- Platforms: WindowsLinuxMacOSiOSAndroid
- Contributor: Lawrence Rake
Downgrading Microsoft Information Protection (MIP) labels
A subject may intentionally downgrade the Microsoft Information Protection (MIP) label applied to a file in order to obscure the sensitivity of its contents and bypass security controls. MIP labels are designed to classify and protect files based on their sensitivity—ranging from “Public” to “Highly Confidential”—and are often used to enforce Data Loss Prevention (DLP), access restrictions, encryption, and monitoring policies.
By reducing a file's label classification, the subject may make the file appear innocuous, thus reducing the likelihood of triggering alerts or blocks by email filters, endpoint monitoring tools, or other security mechanisms.
This technique can enable the unauthorized exfiltration or misuse of sensitive data while evading established security measures. It may indicate premeditated policy evasion and can significantly weaken the organization’s data protection posture.
Examples of Use:
- A subject downgrades a financial strategy document from Highly Confidential to Public before emailing it to a personal address, bypassing DLP policies that would normally prevent such transmission.
- A user removes a classification label entirely from an engineering design document to upload it to a non-corporate cloud storage provider without triggering security controls.
- An insider reclassifies multiple project files from Confidential to Internal Use Only to facilitate mass copying to a removable USB device.
Detection Considerations:
- Monitoring for sudden or unexplained MIP label downgrades, especially in proximity to data transfer events (e.g., email sends, cloud uploads, USB copies).
- Correlating audit logs from Microsoft Purview (formerly Microsoft Information Protection) with outbound data transfer events.
- Use of Data Classification Analytics to detect label changes on high-value files without associated business justification.
- Reviewing file access and modification logs to identify users who have altered classification metadata prior to suspicious activity.