ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT110
  • Created: 22nd April 2025
  • Updated: 22nd April 2025
  • Platforms: Windows, MacOS, iOS, Android, Linux,
  • Contributor: The ITM Team

MIP Label Activity Monitoring

Microsoft Information Protection (MIP) sensitivity labels are metadata-based security attributes applied to files, emails, and other content within Microsoft 365 environments. MIP sensitivity labels act as a form of document-centric access control, embedding security policies directly into files and emails. By tagging content with persistent metadata that enforces encryption, access restrictions, and visual markings, MIP labels ensure that data protection travels with the document—regardless of where it's stored or shared—providing consistent security across organizational and cloud boundaries. 

 

MIP labels are centrally defined through the Microsoft Purview compliance portal and persist within the content itself—stored in metadata streams such as Office document custom properties or XML parts. Labels can be applied manually by users or automatically via content inspection rules, data classification policies, or machine learning models. Once applied, labels can enforce a range of protections, including Azure Information Protection (AIP)-based encryption, visual markings (e.g., headers, footers, watermarks), and access restrictions.

 

Because MIP labels are integrated with Microsoft 365 applications and services, they serve as a powerful mechanism for monitoring and auditing sensitive data handling. Labeling events generate detailed telemetry that can help identify suspicious or non-compliant user behavior, such as:

 

  • Downgrading a file from a more restrictive label (e.g., "Highly Confidential") to a less restrictive one (e.g., "Public") before exfiltration.
  • Applying inconsistent labels to similar types of content.
  • Bypassing automatic labeling recommendations or ignoring mandatory labeling prompts.
  • Accessing or modifying labeled content outside normal working hours or from anomalous locations.

 

Detection can be implemented across various Microsoft platforms:

 

  • Microsoft Purview (formerly Microsoft 365 Compliance Center) provides audit logs and activity explorer views for label application, modification, and removal.
  • Microsoft Defender for Cloud Apps (MCAS) enables near real-time monitoring of MIP label usage across Microsoft 365 and integrated third-party services.
  • Microsoft Sentinel can ingest logs from Microsoft Purview, Azure AD, and Microsoft Defender to correlate labeling activity with other insider threat signals.
  • Microsoft Defender for Endpoint monitors endpoint behavior, which can be used to identify lateral movement, data access anomalies, or unauthorized label downgrades.
  •  

Detection rules can be enriched with user and entity behavior analytics (UEBA), data loss prevention (DLP) events, and identity-based risk signals (e.g., unusual sign-ins or privilege escalations) to increase fidelity and reduce false positives.

Sections

ID Name Description
PR018.007Downgrading Microsoft Information Protection (MIP) labels

A subject may intentionally downgrade the Microsoft Information Protection (MIP) label applied to a file in order to obscure the sensitivity of its contents and bypass security controls. MIP labels are designed to classify and protect files based on their sensitivity—ranging from “Public” to “Highly Confidential”—and are often used to enforce Data Loss Prevention (DLP), access restrictions, encryption, and monitoring policies.

 

By reducing a file's label classification, the subject may make the file appear innocuous, thus reducing the likelihood of triggering alerts or blocks by email filters, endpoint monitoring tools, or other security mechanisms.

 

This technique can enable the unauthorized exfiltration or misuse of sensitive data while evading established security measures. It may indicate premeditated policy evasion and can significantly weaken the organization’s data protection posture.

 

Examples of Use:

  • A subject downgrades a financial strategy document from Highly Confidential to Public before emailing it to a personal address, bypassing DLP policies that would normally prevent such transmission.
  • A user removes a classification label entirely from an engineering design document to upload it to a non-corporate cloud storage provider without triggering security controls.
  • An insider reclassifies multiple project files from Confidential to Internal Use Only to facilitate mass copying to a removable USB device.

 

Detection Considerations:

  • Monitoring for sudden or unexplained MIP label downgrades, especially in proximity to data transfer events (e.g., email sends, cloud uploads, USB copies).
  • Correlating audit logs from Microsoft Purview (formerly Microsoft Information Protection) with outbound data transfer events.
  • Use of Data Classification Analytics to detect label changes on high-value files without associated business justification.
  • Reviewing file access and modification logs to identify users who have altered classification metadata prior to suspicious activity.
ME024.001Access to Customer Data

A subject with access to customer data holds the ability to view, retrieve, or manipulate personally identifiable information (PII), account details, transactional records, or support communications. This level of access is common in roles such as customer service, technical support, sales, marketing, and IT administration.

Access to customer data can become a means of insider activity when misused for purposes such as identity theft, fraud, data exfiltration, competitive intelligence, or unauthorized profiling. The sensitivity and volume of customer information available may significantly elevate the risk profile of the subject, especially when this access is unmonitored, overly broad, or lacks audit controls.

 

In some cases, subjects with customer data access may also be targeted by external threat actors for coercion or recruitment, given their ability to obtain regulated or high-value personal information. Organizations must consider how customer data is segmented, logged, and monitored to reduce exposure and detect misuse.