In the vast digital landscape where every move is scrutinized, threat actors have found a stealthy ally in the disguise of a legitimate tool: the Microsoft Graph API. This innocent-looking interface, created to help developers access Microsoft cloud services, has evolved into a covert channel for cybercrime.
Recent revelations from Symantec researchers shed light on how attackers exploit the Graph API’s unassuming facade to bypass detection systems. How will they do it? By orchestrating their malicious deeds within the confines of widely used Microsoft cloud services, these threat actors provide the impression that their actions are legitimate. This tactic, first spotlighted in October 2021 during Symantec’s report on the Harvester group’s espionage escapades in South Asia, has since become a favored ploy among cybercriminals.
The allure of the Graph API lies not only in its inconspicuous nature but also in its cost-effectiveness and security for attackers. With even basic Microsoft accounts like OneDrive offering free access, cyber criminals find an affordable and secure haven for their operations.
The latest illustration of this type of threat surfaced in Ukraine, where a company was infiltrated by the malware known as BirdyClient. The malware used the Graph API and OneDrive for command and control functions.
Security experts warn that sophisticated actors, including APT28 and APT29, have embraced the Graph API for its ability to camouflage malicious communications within legitimate traffic, making detection a formidable challenge. Eric Schwake of Salt Security emphasizes the API’s rich functionality, providing attackers with a potent toolkit while also underscoring the critical need for organizations to enhance visibility and control over their API usage to thwart such abuses.
As the digital battleground evolves, vigilance against these insidious tactics becomes paramount to safeguarding our cyber realms.
