In a recent report dated May 2, Symantec researchers revealed a concerning trend: attackers are increasingly turning to the Microsoft Graph API, a tool commonly used by developers to access resources on Microsoft cloud services, as a means to fly under the radar of detection systems.
The attractiveness of Graph API to malicious actors stems from its association with widely used Microsoft cloud services, leading attackers to believe that conducting their operations through such channels will attract less attention. This tactic first gained attention back in October 2021 when Symantec shed light on the Harvester group, a nation-state-backed espionage outfit targeting organizations in South Asia.
Cheap and Effective Infrastructure
According to the researchers, besides being inconspicuous, Graph API offers attackers a cheap and secure infrastructure for their operations, as even basic accounts like Microsoft OneDrive are available for free.
In the most recent instance of this technique, an attack targeted an organization in Ukraine. Here, a previously undocumented malware utilized the Microsoft Graph API to harness Microsoft OneDrive for command-and-control (C2) activities. Symantec identified this new malware as BirdyClient or OneDriveBirdyClient, names deduced from references within its code.
Sophisticated threat actors like APT28 and APT29 have adopted the use of Microsoft Graph API due to its inherent features that facilitate evading detection and conducting malicious operations. Callie Guenther, senior manager of threat research at Critical Start, explained that this method provides attackers with a stealthy, effective, and resilient means to control compromised environments, extract valuable information, and persist in target networks while minimizing the risk of exposure.
“Microsoft Graph API is a legitimate, widely used interface that provides access to various Microsoft cloud services, including Office 365 and Azure services,” said Guenther. “By using this API, attackers can blend their malicious communications with normal, legitimate traffic, significantly reducing the likelihood of their activities being detected as anomalous or malicious. This is a classic example of ‘living off the land,’ where attackers use built-in tools and services to hide their activities.”
“Graph API’s rich functionality provides attackers with a powerful toolkit, and compromised credentials can offer easy access to sensitive data,” said Schwke. “Unfortunately, many organizations lack visibility and control over their API usage, making it challenging to identify and prevent such misuse.”
Check out more articles about cyber security.
