- Home
- Alerts & Advisories
- Advisories
- Defending Against Cyber Threats Leveraging Microsoft Graph API
Advisory
Defending Against Cyber Threats Leveraging Microsoft Graph API
20 May 2024
There has been a rising number of reports involving cybercriminals leveraging Microsoft Graph Application Programming Interface (API) to communicate with and host their command-and-control (C2) infrastructure on Microsoft cloud services. Microsoft Graph API enables developers to access Microsoft services and data, such as Outlook, OneDrive, SharePoint, and Teams, through a single endpoint. This allows developers to optimise their development processes by integrating various Microsoft services into their own applications.
Due to the extensive functionality and integration capabilities of Microsoft Graph API with various Microsoft services, it is reportedly being actively abused by cybercriminals to facilitate living-off-the-land attacks. By leveraging on Microsoft Graph API, cybercriminals are able to conduct malicious activities within the infrastructure of legitimate application and services, thus successfully blending their activities with legitimate traffic. For instance, after successfully compromising a device, cybercriminals can deploy malware that establishes a connection to the Microsoft Graph API to utilise OneDrive, a platform typically used for legitimate functions like file transfer, as a C2 server for uploading and downloading malicious files.
Administrators may wish to consider tracking and blocking the Indicators of Compromise (IOCs) associated with malware exploiting Microsoft Graph API. Possible IOCs (non-exhaustive) associated with the related malware are shown in the table below:
Malware
Malware | SHA256 |
|---|---|
BirdyClient | afeaf8bd61f70fc51fbde7aa63f5d8ad96964f40b7d7fce1012a0b842c83273e |
Bluelight | 5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6 |
Graphon | 470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3 |
Graphite | f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 |
Graphican | 4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5 |
SiestaGraph | 1a87e1b41341ad042711faa0c601e7b238a47fa647c325f66b1c8c7b313c8bdf |
Organisations may also consider implementing the following preventive measures to strengthen their cybersecurity posture and bolster their defences to protect themselves from such incidents:
• Monitor inbound and outbound network traffic for suspicious communications
• Configure firewall rules to block outbound connections to IP addresses associated with C2 servers
• Use Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) to detect and block suspicious traffic
• Implement strict access controls based on employees' roles and responsibilities to prevent unauthorised access to Microsoft cloud platforms
• Regularly monitor all Microsoft user accounts and disable inactive accounts
• Update systems, applications and software to the latest version and download the latest security patches
• Deploy Endpoint Detection and Response (EDR) solutions to detect and prevent malware from attempting to establish communications with C2 servers
• Install anti-virus/anti-malware software and keep the software (and its definition files) updated. Perform a scan of the systems and networks regularly and scan all received files
References:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/graph-api-threats
https://www.scmagazine.com/news/attackers-evade-detection-by-leveraging-microsoft-graph-api