Firefox Browser History

A subject uses an existing, legitimate external Web service to exfiltrate data

A subject unlawfully accesses copyrighted material, such as pirated media or illegitimate streaming sites.

A subject accesses web content that is deemed inappropriate by the organization.

A subject installs software onto an organization-managed system without prior approval or outside sanctioned methods (e.g., centralized package management, internal software portals). This behavior spans a spectrum of risk - from seemingly benign installations (e.g., video games, personal browsers, media players) to unauthorized deployment of potentially harmful tools sourced from unvetted repositories or adversarial infrastructure.

The infringement may involve:

• Manual download and execution of installer packages
• Use of administrative access to bypass endpoint restrictions
• Cloning or compiling code from external code repositories such as GitHub

While some installations may appear harmless, unapproved software installs can represent a breakdown in configuration control and acceptable use. In high-risk scenarios, such software may introduce remote access mechanisms, data exfiltration capabilities, or other malware. Even benign cases signal behavioral drift, particularly when repeated or ignored, and can contribute to software sprawl, policy erosion, or eventual exploitation.

A subject uses electronic mail to exfiltrate data.

A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information.

A subject can access the web with an organization device.

A subject dishonestly makes false representations, fails to disclose information or abuses their access or position to make a financial gain and/or cause a loss to an organization. Methods to achieve this include unauthorized bank transfers, misuse of corporate cards, or creating fictitious invoices.

A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information.

A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event.

The subject downloads one or more files to a system to access the file or prepare for exfiltration.

A subject uses organizational resources, such as internet access, email, or work devices, for personal activities both during and outside work hours, exceeding reasonable personal use. This leads to reduced productivity, increased security risks, and the potential mixing of personal and organizational data, ultimately affecting the organization’s efficiency and overall security.

A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.

Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.

Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves.

A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://www.dropbox[.]com
• hxxps://drive.google[.]com
• hxxps://onedrive.live[.]com
• hxxps://mega[.]nz
• hxxps://www.icloud[.]com/iclouddrive
• hxxps://www.pcloud[.]com

A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://github[.]com
• hxxps://gitlab[.]com
• hxxps://bitbucket[.]org
• hxxps://sourceforge[.]net
• hxxps://aws.amazon[.]com/codecommit

A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://pastebin[.]com
• hxxps://hastebin[.]com
• hxxps://privatebin[.]net
• hxxps://controlc[.]com
• hxxps://rentry[.]co
• hxxps://dpaste[.]org

A subject may use an existing, legitimate external Web service to exfiltrate data.

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully download copyrighted material.

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully distribute copyrighted material.

A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment.

A subject accesses unlawful pornographic material from a organization device, contravening internal policies on acceptable use of organization equipment and potentially, the law.

A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism).

A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups.

A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image.

A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system.

A subject accesses a website that allows for the unauthorized streaming of copyrighted material.

A subject can access personal webmail services in a browser.

A subject can access personal cloud storage in a browser.

A subject can access websites containing inappropriate content.

A subject can access external note-taking websites (Such as Evernote).

A subject can access external messenger web-applications with the ability to transmit data and/or files.

A subject can access websites used to access or manage code repositories.

A subject may misuse a corporate credit for their own benefit by making purchases that are not aligned with the intended purpose of the card or by failing to follow the policies and procedures governing its use.

A subject with access to sensitive or confidential information may decide to use that information to trade the company's stock or other securities (like bonds or stock options) based on significant, nonpublic information about the company.

A subject misuses their direct or indirect access to dishonestly redirect funds to an account they control or to a third party.

A subject installs software that is not considered appropriate by the organization.

A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.

A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data.

A subject can install unapproved browser extensions that provide additional features and functionality to the browser.

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):

• hxxps://www.evernote[.]com
• hxxps://keep.google[.]com
• hxxps://www.notion[.]so
• hxxps://www.onenote[.]com
• hxxps://notebook.zoho[.]com

A subject can access external text storage websites, such as Pastebin.

A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.

The subject grants unauthorized access to organizational collaboration platforms, such as Slack, Microsoft Teams, Confluence, or equivalent tools, thereby exposing them to internal information, workflows, or discussions outside their clearance or role-based access. This behavior may occur by inviting a guest account, elevating access permissions for an existing contact, or bypassing formal onboarding channels to enable out-of-policy access.

Such unauthorized collaboration introduces a high-risk vector for information leakage, intellectual property exposure, and unmonitored data sharing. In many cases, these platforms contain embedded files, chat histories, integration logs, and operational metadata that extend beyond what the subject may intend to share. Even when performed under the guise of productivity or convenience, this behavior constitutes a clear infringement of acceptable use policies and undermines formal access governance structures.

The action is often difficult to detect retrospectively if audit logging for guest access is not enabled or if collaboration platforms lack integration with centralized identity providers. Investigators should consider whether the access was temporary or persistent, and whether the subject demonstrated awareness of the policy violation (e.g., through attempts to obscure or justify the behavior).

A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system.

A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information.

A subject embeds data within image files to hide sensitive content and exfiltrate it, in a way that conceals both the data and the act of exfiltration. Unlike encryption alone, this attempts to hide the existence of the data.

Trade-offs

• LSB and EOF: High capacity, low complexity, fragile to inspection
• Transform and Edge-based: Higher stealth, lower capacity, more resilient
• Appended EOF: Minimal technical skill required, common in low-effort exfiltration attempts

A subject uses a cloud collaboration platform, such as Slack, Google Docs, Atlassian Confluence, or Microsoft 365 Online, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://docs.google[.]com
  hxxps://*.slack[.]com (* represents a wildcard, where a workspace name would be present)
  hxxps://word.cloud[.]microsoft
  hxxps://excel.cloud[.]Microsoft
• hxxps://powerpoint.cloud[.]Microsoft
• hxxps://*.atlassian[.]net/wiki/ (* represents a wildcard, where a workspace name would be present)

The organization permits the installation or execution of unapproved browser extensions, introducing a mechanism by which web-accessible systems, authentication workflows, or data transactions can be intercepted, altered, or exploited. These extensions often operate with elevated browser-level permissions, including access to cookies, session tokens, clipboard content, keystrokes, or internal URLs. In environments where business systems are browser-based and authenticated via SSO or tokenized workflows, this exposure enables passive surveillance or active manipulation of sensitive operations.

Unapproved extensions typically fall outside the control perimeter of traditional endpoint detection tools or access control frameworks. When extension installation is user-controlled or unmonitored, it creates a circumstance in which subjects - intentionally or otherwise - can introduce new capabilities for access, data exfiltration, or surveillance. This includes extensions sourced from public repositories, sideloaded packages, or internally developed tools lacking code review or deployment controls.

The presence of ungoverned extension capability constitutes a durable and distributed access mechanism, especially in cloud-forward or hybrid environments where browser access is the primary interface to organizational systems. In many cases, infringement is made possible not by elevated privilege in the operating system, but by the absence of control within the browser execution layer.

The subject installs browser extensions on a managed device that have not been approved, vetted, or distributed via sanctioned organizational channels. These may include productivity tools, automation agents, data scrapers, content manipulators, or AI-enhanced interfaces. Installations typically originate from GitHub repositories, private developer sites, shared file storage, or sideloading tools that bypass enterprise browser controls.

Unapproved extensions introduce unmonitored execution environments directly into the subject’s browser, enabling silent access to sensitive web applications, stored credentials, and internal content. Many request expansive permissions (e.g., webRequest, cookies, tabs, clipboardRead) and operate with persistent background scripts that are difficult to detect through normal endpoint monitoring.

This behavior violates Acceptable Use Policies and, depending on the extension’s behavior, may also constitute unauthorized access, data exfiltration, or malware introduction. Some extensions—particularly those hosted on GitHub or distributed through Telegram groups or developer forums—have been found to contain obfuscated payloads, embedded credential harvesters, or cryptojacking modules.

Examples include:

• Installing a GitHub-hosted ChatGPT sidebar extension that silently logs visited URLs and API keys used in developer consoles.
• Deploying a YouTube downloader that injects scripts for ad click fraud or SEO manipulation.
• Using a browser extension to auto-fill forms with personal data, which transmits data to offshore analytics servers.
• Loading unpacked or custom extensions that disguise themselves as utilities but include base64-encoded malware installers.

While subjects may initially claim curiosity or productivity needs, repeated installation of unapproved extensions—especially after prior enforcement—may indicate normalization of risky behavior or active circumvention of controls.

A subject configures either their web browser or operating system to route HTTP and HTTPS traffic through a manually defined outbound proxy server. This action enables them to redirect web activity through an external node, effectively masking the true destination of network traffic and undermining key layers of enterprise monitoring and control.

By placing a proxy between their endpoint and the internet, the subject can obscure final destinations, bypass domain-based filtering, evade SSL inspection, and suppress logging artifacts that would otherwise be available to investigative teams. This behavior, when unsanctioned, is a hallmark of anti-forensic preparation—often signaling an intent to conceal exfiltration, contact unmonitored services, or test visibility boundaries.

While proxies are sometimes used for legitimate troubleshooting, research, or sandboxing purposes, their use outside approved configurations or infrastructure should be treated as an investigatory lead.

Technical Method

Both browsers and operating systems offer mechanisms to define proxy behavior. These configurations typically involve:

• Declaring a proxy server IP address or hostname (e.g., 198.51.100.7)
• Assigning a port (e.g., 8080, 3128)
• Specifying bypass rules for local or internal traffic (e.g., localhost, *.corp)

Once defined, the behavior is as follows:

• Outbound Traffic Routing: All HTTP and HTTPS traffic is redirected through the proxy server, often using tunneling methods (e.g., HTTP CONNECT).
• DNS Resolution Shift: The proxy, not the local device, resolves domain names—bypassing internal DNS logging and threat intelligence correlation.
• Destination Obfuscation: To enterprise firewalls, CASBs, and Secure Web Gateways, the endpoint appears to connect only to the proxy—not to actual external services.
• Encrypted Traffic Concealment: If the proxy does not participate in the organization’s SSL inspection chain, encrypted traffic remains opaque and unlogged.
• System-Level Impact: When configured at the OS level, the proxy may affect all applications—not just browsers—expanding the anti-forensic footprint to tools such as command-line utilities, development environments, or exfiltration scripts.

Proxy settings may be configured through user interfaces, system preferences, environment variables, or policy files—none of which necessarily require administrative privileges unless endpoint controls are in place.

This technique is especially potent in organizations with reliance on DNS logs, web filtering, or SSL interception as primary visibility mechanisms. It fractures investigative fidelity and should be escalated when observed in unauthorized contexts.

The subject installs and activates browser-based VPN or proxy extensions (such as Hola VPN, Browsec, or ZenMate) to anonymize specific web activity while avoiding host-level detection or access restrictions. These lightweight tools require no administrative privileges and often evade traditional endpoint controls, allowing subjects to selectively obscure browsing sessions, bypass content filtering, or access external services undetected.

Unlike full-system VPN clients, browser-based VPNs operate at the application layer, making them more difficult to inventory, log, or control using conventional network or endpoint defenses. Their use complicates investigative visibility into user intent, session content, and destination domains, particularly when paired with HTTPS encryption or private browsing modes. This technique represents a form of network anti-forensics intended to obscure subject behavior with minimal system footprint or oversight.