Handout D: Exfiltration Traffic Analysis
Large group equivalent: This handout maps to artifact cards B-R45-1 + part of C-R23-1.
Outbound HTTPS traffic retrospective and GenixLibrary audit log analysis completed by the network security team at BioGenix Solutions. Data covers 2026-03-20 to 2026-04-16.
Outbound HTTPS Traffic Analysis
| Destination | Resolved IP | Volume | Sessions |
|---|---|---|---|
| graph.microsoft.com | 20.190.159.0 | 43.2 GB | 14,822 |
| login.microsoftonline.com | 20.190.160.1 | 12.4 GB | 8,441 |
| storage.azure.com | 20.150.38.0 | 8.1 GB | 2,104 |
| settings-win.data.microsoft.com | 20.189.173.1 | 4.2 GB | 6,233 |
| definitionupdates.microsoft.com | 20.109.210.0 | 3.8 GB | 412 |
| cs.microsoft.com | 23.47.51.0 | 2.1 GB | 1,847 |
| go.microsoft.com | 23.35.180.0 | 1.4 GB | 944 |
| ctldl.windowsupdate.com | 23.48.23.0 | 0.9 GB | 3,122 |
| storeedgefd.dsx.mp.microsoft.com | 152.199.21.0 | 0.8 GB | 288 |
| dl.delivery.mp.microsoft.com | 152.199.21.0 | 0.6 GB | 44 |
| sensor-vortex.adobe.io | 18.162.88.0 | 0.4 GB | 1,204 |
| cdn.crowdstrike.com | 104.18.204.0 | 0.3 GB | 188 |
| vendor-sync.calisync-gmbh.de | 203.0.113.100 | 0.2 GB | 72 |
| ocsp.digicert.com | 93.184.220.0 | 0.1 GB | 4,811 |
| graph-api-sync.bioanalytics.net | 203.0.113.44 | ~10 GB | 18 |
| onedrive.live.com | 13.107.42.0 | 0.08 GB | 322 |
# TLS certificate detail โ graph-api-sync.bioanalytics.net
TLS SNI header presented: graph.microsoft.com
Actual destination hostname: graph-api-sync.bioanalytics.net
Resolved IP: 203.0.113.44
Certificate presented: Self-signed, CN=graph.microsoft.com
Domain registration date: 2025-11-20
Registrar: Concealed via privacy proxy
IM NOTES (Do Not Show to Players):
- The ~10 GB figure across 18 sessions for
graph-api-sync.bioanalytics.netrepresents a volume-to-session ratio that is anomalous compared to every other destination. Microsoft Graph traffic (43 GB / 14,822 sessions) shows the expected pattern: high session count, moderate average volume per session. - The TLS SNI spoofing is the key to DLP bypass:
graph-api-sync.bioanalytics.netpresentsgraph.microsoft.comas the SNI header. DLP-004 allowlists destinations matching the*.microsoft.comSNI pattern, so all 18 sessions were classified as Microsoft telemetry and passed without inspection. - The domain
bioanalytics.netwas registered 2025-11-20 via a privacy proxy โ consistent with attacker-controlled infrastructure prepared months before the operation. - Three DLP rules should have caught this activity but all three had gaps: DLP-001 volume threshold was per-day (not per-session), DLP-002 and DLP-003 excluded service accounts, DLP-004 matched on the spoofed SNI header rather than the actual resolved IP.
GenixLibrary Access Log โ svc-rdbridge-admin Sessions
GenixLibrary Access Log
Filter: svc-rdbridge-admin off-hours batch reads โ Period: 2026-03-20 to 2026-04-16
| Timestamp (UTC) | Account | Action | Dataset | Volume | Session Type |
|---|---|---|---|---|---|
| 2026-03-20 01:24:55 | svc-rdbridge-admin | READ | Fermentation-Seq-Archive/2022-Q1 | 1.8 GB | Batch |
| 2026-03-27 02:48:11 | svc-rdbridge-admin | READ | Enzyme-Engineering-Core/ProductLine-01 | 1.6 GB | Batch |
| 2026-04-02 00:51:22 | svc-rdbridge-admin | READ | Precision-Fermentation-IP/ActiveProject-01 | 2.0 GB | Batch |
| 2026-04-08 02:14:44 | svc-rdbridge-admin | READ | Fermentation-Seq-Archive/2023-Q2 | 1.6 GB | Batch |
| 2026-04-14 01:18:07 | svc-rdbridge-admin | READ | GenixLib-Core-Collection-v1 | 1.1 GB | Batch |
| 2026-04-15 22:24:33 | svc-rdbridge-admin | READ | GenixLib-Core-Collection-v1 | 1.0 GB | Batch [ACTIVE] |
| 2026-04-15 23:48:17 | svc-rdbridge-admin | READ | GenixLib-Core-Collection-v2 | 0.8 GB | Batch [ACTIVE] |
DLP Alert Log (svc-rdbridge-admin, same period): Microsoft telemetry volume: 0 alerts ยท Sensitive file outbound: 0 alerts ยท Off-hours data movement: 0 alerts
IM Facilitation Notes
- Release at INJ-004, after the traffic retrospective is complete.
- The split between historical exfiltration (~7 GB of older R&D archives across 4 sessions) and active transfers (core IP collections just starting to be targeted, ~1.8 GB transferred) is the key tension: the older data is gone, but the most valuable IP has only just started leaving. This forces an immediate containment decision.
- The DLP alert log with zero detections is a powerful debrief artifact โ use it to drive discussion on layered controls and the specific gaps in each rule.
- If participants ask about the scope of GenixLibrary access, answer: the access log analysis is still in progress. This keeps the investigation scope open for advanced challenge play.