Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft

Weaponizing Microsofts own services for command-and-control is simple and costless, and it helps attackers better avoid detection.

Nation-state espionage operations are increasingly using native Microsoft services to host their command-and-control (C2) needs.
A number of unrelated groups in recent years have all come to the same realization: Rather than building and maintaining their own infrastructure, its more economical and effective to simply use Microsofts own services against their targets. Besides the costs and headaches saved from not having to set up and maintain their own infrastructure, using legitimate services allows attackers malicious behavior to more subtly mix in with legitimate network traffic.
This is where Microsoft Graph comes in handy. Graph offers an application programming interface (API) that developers use to connect to a wide range of data — email, calendar events, files, etc. — across Microsoft cloud services. Harmless on its own, it provides an easy means for hackers to run C2 infrastructure
using those same cloud services
.
Recently, for example, Symantec threat hunters discovered a novel malware they call BirdyClient, used against an organization in Ukraine. BirdyClients purpose is to connect to the Graph API in order to upload and download files using OneDrive.
Dark Reading is awaiting comment on this story from Microsoft.
Long before BirdyClient, there was Bluelight, a second-stage tool for command-and-control via several different Microsoft cloud services. It was first discovered in 2021, having been developed by
North Koreas APT37
(aka ScarCruft, Reaper, Group123).
We see it frequently with cybercrime groups and espionage groups: Somebody hits on a new technique, and everybody copies it, says Dick OBrien, principal intelligence analyst at Symantec. This is the case here. Theyve realized how they can leverage this, and now all of these major players are jumping on board.
After Bluelight came Backdoor.Graphon, used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Then, there was Graphite, spread via spear-phishing attacks against governments in Europe and Asia, and SiestaGraph, which made an appearance in a December 2022 breach of a southeast Asian foreign affairs office.
Last June brought Backdoor.Graphican, used by
APT15
(aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) against foreign affairs ministries in the Americas. A month later, researchers spotted Russias Cozy Bear (aka APT29, Cloaked Ursa, UAC-0004, Midnight Blizzard/Nobelium)
using the same trick
in attacks against global diplomatic missions, and Symantec identified a further case from November involving a target in Asia it has yet to disclose.
Despite their myriad differences, all the malware in these cases share the use of Graph API to make C2s out of 365 services, primarily OneDrive.
From an organizations perspective, you need to start being a lot more aware of people using unsanctioned cloud accounts, OBrien says. And this doesnt just apply to malicious attacks. For example, Its quite common to hear people say that they access their personal OneDrive account from a work network. The danger in allowing wholesale access to these cloud platforms is that malware may be less likely to raise red flags, he says.
Look at ensuring that any connections are to your own tenants — accounts that belong to your enterprise — and lock down everything else.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft