Data exfiltration is the silent killer in most modern attacks. Whether it’s a ransomware group preparing for double extortion, a nation-state actor stealing intellectual property, or a financially motivated thief harvesting credentials, the moment data leaves your environment is when the real damage begins.
The good news is that exfiltration almost always creates detectable behavioral patterns on both the network and the endpoint, if you know what to look for.
There are some indicators which may show real exfiltration in 2026. The below list contains practical indicators of real exfiltration incidents and examples from previous incidents:
Network Level Behavioural Indicators
These are often the first visible indicators seen in SOC teams.
1. Sudden unexpected peaks in outbound traffic to non-standard domains or IP ranges (e.g., newly registered domains, Cloudflare/Google/Telegram endpoints, and countries that are unusual).
2. Low/Slow data transfer patterns, Small consistent HTTPS POSTs (100-800 bytes) sent once every few minutes for many hours (typical of stealthy exfiltration).
3. High numbers of DNS queries with long subdomain names, indicative of DNS tunnelling. If you see base64-encoded-like strings as a subdomain name, you may be looking at DNS tunnelling.
4. An increased use of legitimate cloud services for exfiltration, Unusual volumes of uploading to OneDrive, Dropbox, Google Drive, Github Gists and Pastebin from service accounts.
5. Compression and encoding prior to outbound traffic, Processes that begin using 7-zip/WinRAR/base64 encoding with outbound connections.
Practical example from the 2025 healthcare breach: Attackers exfiltrated patient data through an HTTPS connection to a legitimate "analytics" subdomain of a Cloudflare domain (50-200KB each time for 9 days). At first sight, the traffic appeared to be telemetry but was soon identified as steady data.
Endpoint-Level Behavioral Indicators
These behavioral indicators may show up prior to or during network activity:
1. Unusual access patterns of files, Large numbers of files in sensitive directories accessed (customer databases, SharePoint sync directories, HR files, source repository directories) by processes that don't normally have access.
2. Processes that read multiple documents then immediately archive or encode them, If you see that PowerShell, cmd.exe, or Python/Ruby script has touched a large number of .docx, .xlsx, or .pdf files followed by archiving it is a WARNING sign.
3. Monitoring clipboard + making outbound connections, This is very common in Greedy Sponge-style malware, You may see that a process accessed the clipboard and made an HTTPS connection to the outside world soon after.
4. New Schedules Tasks, Created or Modified / New WMI Event Subscriptions, Using these types of processes to stage data before it leaves your organization.
5. Browser or Email Client Process making Unexpected Outbound Connections, For example, if the browser you are using suddenly connects to a relatively RARE domain after accessing the password manager or accessing a corporate portal (Zoom, WebEx, etc) that is a WARNING signal.
Real example: During a manufacturing breach, attackers used a legitimate backup tool (normally used for nightly jobs) to stage terabytes of CAD files and engineering drawings, then slowly exfiltrated them over several weeks using OneDrive sync, the only visible endpoint sign was the backup process running at odd hours with unusually high network usage.
Rules for Quick Implementation of Detection Features
On Endpoint (Sysmon or EDR):
1. Detect processes accessing a high volume of .docx/.xlsx/.pdf files and then compress/encode.
2. Detect clipboard activity and outbound HTTPS activity within 60 seconds of each other.
3. Detect non-admin created scheduled tasks
On Network (WAF, Firewall, or NDR):
1. Detect HTTPS traffic where the payload is consistently small over extended periods.
2. Alert on DNS queries with high entropy subdomains (common in tunneling).
3. Rate-limit or alert on uploads to consumer cloud services from servers.
Quick Wins You Can Do This Week
1. Enable Sysmon with a good configuration (SwiftOnSecurity or Olaf Hartong configs are excellent starting points) and look for the patterns above.
2. Add basic behavioral rules in your EDR for “mass file access → compression → outbound”.
3. Review egress firewall rules, block or heavily monitor direct uploads to OneDrive, Dropbox, etc. from production servers.
4. Set up a simple weekly report for DNS queries with long subdomains.
Data exfiltration is often the weakest link in the attacker’s chain, they have to move the data out eventually. If you focus detection efforts on the behavioral patterns that precede and accompany exfiltration, you can catch many attacks before the real damage is done.
The earlier you detect the “soaking” phase, the better your chances of stopping the full breach.
