Title pretty much covers it. Firewall keeps logging blocked packets to a MullVad VPN public IP address. (3rd party VPN’s are obviously blocked on our network) Basically all day every day this Mac is connected to the network, it’s somehow trying to connect to an IP address for this VPN service.
We have looked for the VPN application multiple times, it’s not installed, the user says they don’t use that VPN application. But it keeps happening and been ongoing for weeks now.
Any suggestions?
Could be compromised. I’d also look for a browser-based plugin vs an actual app.
malware making a VPN connection for command/control or exfil?
May be time to stop looking for the VPN client and start treating that macbook client as compromised.
Finally solved this. It was MalwareBytes. Uninstalled, Mullvad VPN packets no longer appearing in firewall logs. Thanks for the responses.
Next time, ignore the ‘application’ or ‘brand’ part and go straight to the source: ask the OS who is opening that connection and it will give you the binary responsible. At the end of the day, sockets are just sockets and the OS knows who is using what.
It was MWB or Mullvad? Tell me more 
Yep, I’ve seen this before. Our SWG was reporting queries to Mullvad so I had a look at the individual computers and they had Malwarebytes on them - turns out MBAM has a VPN service on their app that sends queries even if you don’t turn it on.
The Malwarebytes VPN is “powered” by Mullvad so if your firewall or SWG flags it it should get ID’d as Mullvad
It was Malware Bytes. Here’s a reference link stating it’s a ‘bug’ - Malware Bytes uses Mullvad for a specific thing, when configured to do so (this was also unknown to us) but the bug was causing Malware Bytes to try to contact Mullvad when this special setting was not enabled. New Windows versions of MWB are fixed, maybe new Mac versions of MWB are fixed we haven’t checked. https://forums.malwarebytes.com/topic/315434-communication-with-mullvad-server/
So they were still using a third party vpn, MWB?