Handout D: Exfiltration Traffic Analysis

90-day outbound HTTPS traffic retrospective and GenixLibrary audit log analysis completed by the network security team at BioGenix Solutions. Data covers 2025-12-10 to 2026-03-10.

90-Day Outbound HTTPS Traffic Summary

Outbound HTTPS Traffic Report -- Port 443
Period: 2025-12-10 00:00:00 UTC to 2026-03-10 09:00:00 UTC
Source environment: GENIX-PROD-01 and AZURE-RD-ENV-01

--- Top Destinations by Volume ---

Destination                           Resolved IP        Volume     DLP Classification
graph.microsoft.com                   203.0.113.1        43 GB      Microsoft Telemetry [TRUSTED]
graph-api-sync.bioanalytics.net       203.0.113.44       847 GB     Microsoft Telemetry [TRUSTED]
login.microsoftonline.com             203.0.113.2        12 GB      Microsoft Auth [TRUSTED]
storage.azure.com                     203.0.113.3        8 GB       Azure Storage [TRUSTED]

--- DLP Classification Basis for graph-api-sync.bioanalytics.net ---

TLS SNI header presented:     graph.microsoft.com
Actual destination hostname:  graph-api-sync.bioanalytics.net
Resolved IP:                  203.0.113.44
Certificate presented:        Self-signed, CN=graph.microsoft.com (NOT issued by Microsoft)
DLP action:                   CLASSIFIED AS TRUSTED (SNI header match, certificate not validated)
Domain registration date:     2025-11-20 (4 months ago)
Registrar:                    Concealed via privacy proxy

GenixLibrary Audit Log – Off-Hours Batch Read Sessions

GenixLibrary Access Audit Log
Account: svc-rdbridge-admin
Filter: Off-hours reads (20:00 -- 06:00 UTC), sequential batch patterns
Period: 2025-12-10 to 2026-03-10

Session  Date (UTC)    Start       End         Files Read  Dataset
1        2025-12-10    01:23:14    02:47:09    19          Fermentation-Seq-Archive-2023
2        2025-12-17    03:12:02    04:29:55    21          Enzyme-Engineering-Core-v2
3        2025-12-29    00:45:18    02:11:44    18          Precision-Fermentation-IP-2024
4        2026-01-06    02:08:31    03:34:17    20          GenixLib-Acquisition-Package-v1
5        2026-01-14    01:56:07    03:19:02    22          Fermentation-Seq-Archive-2024
6        2026-01-21    03:30:55    04:52:31    19          Enzyme-Engineering-Core-v3
7        2026-02-03    00:19:22    01:41:08    21          Precision-Fermentation-IP-2025
8        2026-02-11    02:44:48    04:03:39    18          GenixLib-Acquisition-Package-v2
9        2026-02-18    01:30:27    02:55:41    20          Fermentation-Seq-Archive-2025
10       2026-03-04    00:52:44    02:18:29    22          Enzyme-Engineering-Core-v4
...      ...           ...         ...         ...         ...
44       2026-03-09    22:21:04    23:48:32    21          Precision-Fermentation-IP-Current

Total sessions: 44
Total files read: 847

--- DLP Alert Log (same period, svc-rdbridge-admin outbound) ---

Alert                           Count    Disposition
Microsoft telemetry volume      0        N/A -- threshold not triggered (daily cap: 50 GB)
Sensitive file outbound         0        N/A -- classified as internal sync
Off-hours data movement         0        N/A -- account excluded from off-hours policy

IM NOTES (Do Not Show to Players):

  • The 847 GB figure and 44 sessions are correlated: each off-hours session corresponds with a traffic spike to graph-api-sync.bioanalytics.net. The session timing and outbound volume spikes match within minutes.
  • The GenixLib-Acquisition-Package-v1 and GenixLib-Acquisition-Package-v2 datasets are the due diligence data room packages prepared for the active acquisition – this is the highest-value target from the attacker’s perspective.
  • Three separate DLP rules should have caught this activity but all three had gaps: volume threshold was per-day (not per-session), file classification missed the SNI mismatch, and svc-rdbridge-admin was excluded from off-hours policy as a service account.
  • Players must grapple with a merger governance decision: the acquisition counterparty’s due diligence data has been exfiltrated. This is the scenario’s highest-stakes debrief point.

IM Facilitation Notes

  • Release at INJ-004, after the 90-day traffic retrospective is complete.
  • The acquisition data room package datasets are designed to force the hardest merger governance conversation: do you proceed with Friday’s data room meeting, delay it, or disclose the exfiltration to the counterparty before proceeding?
  • The DLP alert log with zero detections is a powerful debrief artifact – use it to drive discussion on layered controls and the specific gaps in each rule.
  • If participants ask whether the attacker had write access to GenixLibrary, answer: write access analysis is still in progress. This keeps the investigation scope open for advanced challenge play.