Attackers were observed evading detection by leveraging the Microsoft Graph API used by developers to access resources on Microsoft cloud services.
In a May 2 blog post, Symantec researchers said attackers are drawn to Graph API because they believe that executing their activities on known entities such as widely used Microsoft cloud services are less likely to raise suspicion.
This technique was brought to light in October 2021 when Symantec reported on the Harvester group, a nation-state-backed espionage operation that targeted South Asia organizations.
The researchers said in addition to being inconspicuous, it’s also a cheap and secure source of infrastructure for attackers because basic accounts like Microsoft OneDrive are free.
Graph API was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used Microsoft Graph API to leverage Microsoft OneDrive for command-and-control (C2) purposes. Symantec said the new malware found in Ukraine was named BirdyClient or OneDriveBirdyClient by its developers because references to both names were found in its code.
Sophisticated actors such as APT28, APT29, and others have adopted the use of Microsoft Graph API in their operations because of several inherent features that make it an effective means for evading detection and facilitating malicious operations, explained Callie Guenther, senior manager of threat research at Critical Start, and an SC Media columnist. Guenther said this method offers a stealthy, effective, and resilient way to control compromised environments, extract valuable information, and maintain persistence in target networks with reduced risk of exposure.
“Microsoft Graph API is a legitimate, widely used interface that provides access to various Microsoft cloud services, including Office 365 and Azure services,” said Guenther. “By using this API, attackers can blend their malicious communications with normal, legitimate traffic, significantly reducing the likelihood of their activities being detected as anomalous or malicious. This is a classic example of ‘living off the land,’ where attackers use built-in tools and services to hide their activities.”
Attackers use Microsoft Graph API to hide their malicious activities and make them appear as legitimate traffic, explained Eric Schwake, director of cybersecurity strategy at Salt Security, thus making it difficult for traditional security tools to detect such activities. Schwake added that attackers can also use Microsoft's cloud infrastructure for C2 communication, which further conceals their activity as Microsoft services are often trusted.
“Graph API's rich functionality provides attackers with a powerful toolkit, and compromised credentials can offer easy access to sensitive data,” said Schwke. “Unfortunately, many organizations lack visibility and control over their API usage, making it challenging to identify and prevent such misuse.”
