https://www.bleepingcomputer.com/news/security/new-tunnelvision-attack-leaks-vpn-traffic-using-rogue-dhcp-servers/

A new attack dubbed "TunnelVision" can route traffic outside a VPN's encryption tunnel, allowing attackers to snoop on unencrypted traffic while maintaining the appearance of a secure VPN connection.

The method, described in detail in a report by Leviathan Security, relies on the abuse of Dynamic Host Configuration Protocol's (DHCP) option 121, which permits the configuration of classless static routes on a client's system.