On mobile devices managed by Microsoft Intune, and where Protected Apps are being used, it is possible to apply app protection policies to protect corporate data on mobile devices. This functionality can prevent users from copying and pasting corporate data into personal apps.

Sections

ID	Name	Description
ME012	Clipboard	A subject can use the clipboard on a device (copy & paste).
IF001.005	Exfiltration via Note-Taking Web Services	A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized): hxxps://www.evernote[.]com hxxps://keep.google[.]com hxxps://www.notion[.]so hxxps://www.onenote[.]com hxxps://notebook.zoho[.]com
ME004.001	AirDrop	A subject can leverage Apple’s native peer-to-peer file sharing protocol, namely AirDrop - to transfer files directly to nearby personal devices over Bluetooth and Wi-Fi Direct. AirDrop operates on both macOS and iOS, and functions entirely outside routed enterprise networks, bypassing traditional firewall, proxy, or DLP controls. AirDrop sessions are proximity-based, require no shared credentials, and are often enabled by default. When used from a corporate-managed Apple device, AirDrop creates a covert and rapid pathway for off-network data transfer, even when connected to a corporate VPN or secured wireless configuration. Its convenience, invisibility to traditional network monitoring, and inconsistent endpoint logging make it especially attractive to subjects acting opportunistically or preparing for staged exfiltration.

References