Impossible Travel

A subject intentionally provides system or data access to a third party that is not authorized to access it.

The subject deliberately adopts or fabricates an identity—visually, digitally, or procedurally—to gain access, mislead stakeholders, or enable a planned insider event. Impersonation may occur in physical environments (e.g., unauthorized use of uniforms or cloned ID cards), digital platforms (e.g., email aliases or collaboration tools), or human interactions (e.g., job interviews). These behaviors typically precede unauthorized access, credential misuse, sabotage, or data exfiltration, and may allow subjects to operate without attribution or delay detection.

Impersonation is a high-risk preparatory behavior that often precedes direct misuse of trust. By assuming a false identity or misrepresenting role, authority, or affiliation, the subject gains unauthorized access or influence—without triggering traditional insider threat controls.

The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls.

A subject installs a VPN application that allows them to tunnel their traffic.

A subject has access to a VPN application.

Sanction violations involve the direct or indirect engagement in transactions with individuals, entities, or jurisdictions that are subject to government-imposed sanctions. These restrictions are typically enforced by regulatory bodies such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the United Nations, the European Union, and equivalent authorities in other jurisdictions.

Unlike export violations, which focus on the control of goods and technical data, sanction violations concern the status of the receiving party. A breach occurs when a subject facilitates, authorizes, or executes transactions that provide economic or material support to a sanctioned target—this includes sending payments, delivering services, providing access to infrastructure, or sharing non-controlled information with a restricted party.

Insiders may contribute to sanction violations by bypassing compliance checks, falsifying documentation, failing to screen third-party recipients, or deliberately concealing the sanctioned status of a partner or entity. Such conduct can occur knowingly or as a result of negligence, but in either case, it exposes the organization to serious legal and financial consequences.

Regulatory enforcement for sanctions breaches may result in significant penalties, asset freezes, criminal prosecution, and reputational damage. Organizations are required to maintain robust compliance programs to monitor and prevent insider-driven violations of international sanctions regimes.

The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy.

Impersonation in this context can be achieved through:

• Lookalike email addresses (e.g., spoofed domains or typo squatting).
• Cloned display names in collaboration tools.
• Shared calendar invites or chats initiated under false authority.
• Use of compromised or unused accounts from real employees, contractors, or vendors.

The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds.

Example Scenarios:

• A subject registers a secondary internal email alias (john.smyth@corp-secure.com) closely resembling a senior executive and uses it to request financial data from junior employees.
• A subject joins a sensitive Slack channel using a display name that mimics another department member and quietly monitors ongoing discussions related to mergers and acquisitions activity.
• A compromised service account is used by an insider to initiate SharePoint document shares with external parties, appearing as a legitimate internal action.
• The subject impersonates an IT support contact via Teams or email to socially engineer MFA tokens or password resets.

The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization.

Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence.

Example Scenarios:

• A subject recruited during university by a foreign security service secures a role in a telecommunications provider and enables covert surveillance access for state-level eavesdropping.
• A subject hired into a biopharmaceutical firm has pre-existing links to a state-sponsored “talent program” and transfers research data to affiliated institutions abroad via covert cloud channels.