A week or so ago, I wrote about discovering that files were being removed from my computer after enabling Data Loss Prevention (DLP). The files in question included a medical document, a military document, a banking statement, and a brochure I had downloaded about firewalls. Naturally, this raised concerns about data security and prompted me to investigate what was happening.

During my troubleshooting, I discovered that the application attempting to export my files was none other than Microsoft Edge. Now, before you jump to conclusions, I’m not saying Microsoft is stealing data; it’s widely known that malicious actors often hijack legitimate applications for their purposes. Since Edge isn’t my primary browser, I’d left it largely unconfigured—something that could have contributed to the issue. For the record, I don’t have any add-ons installed on Edge, but I’ve since made some tweaks to make it marginally more secure. However, I’m fully aware that these adjustments won’t entirely stop the files from being exported.

A few days ago, I ran additional tests to see which files were being flagged by DLP rules. Interestingly, my capability statement was flagged, but a personal file that should have matched one of the rules wasn’t. Upon further investigation, I discovered a critical limitation: files smaller than 8KB don’t meet the size requirement for detection and are therefore allowed to be sent. (Pro Tip: Always verify the size thresholds in your DLP settings—it could be a weak link in your security chain.)

Concerned about the potential for sensitive files like my medical records to be shared with unauthorized parties, I returned to the DLP portal to create a more comprehensive rule. I tested the classic wildcard argument *.??? for each file type, hoping to lock things down further. My testing revealed something unsettling: file transfer attempts were triggered when I started closing applications in preparation for shutting down my computer.

To dig deeper, I used Wireshark to monitor network traffic and traced the IP addresses involved in the file transfers. To my surprise, the IPs were associated with Microsoft services. One file was sent to an Azure IP, and another was sent to an IP linked to Teams. Why these files were routed to Azure and Teams is still a mystery I’m working to unravel.

So, what can you do to protect yourself? First and foremost, enable or install DLP on your system. Many antivirus solutions include it as an added feature, especially in business or professional versions. If you’re part of an organization, your IT team should be able to configure it for you. If you don’t have an IT team or need reliable antivirus software, reach out to me at PacketEx. Let’s get you secured before a data breach becomes your reality.