Graph: Growing number of threats leveraging Microsoft API

May 3, 2024, 9:47 a.m.

Description

An increasing number of cyber threats have adopted the use of the Microsoft Graph API to facilitate covert communications with command-and-control infrastructure hosted on Microsoft cloud services. This technique helps attackers blend in with legitimate traffic to cloud platforms and obtain infrastructure at low cost.

External References

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/graph-api-threats
https://otx.alienvault.com/pulse/6634a8d8731e63a10976c584
Tags
espionage
2024-05-03
graphican
ketrican
bs2005
graphite
bluelight
siestagraph
onedrivebirdyclient
graphon
birdyclient

Date

  • Created: May 3, 2024, 9:05 a.m.
  • Published: May 3, 2024, 9:05 a.m.
  • Modified: May 3, 2024, 9:47 a.m.

Indicators

  • fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb
  • f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231
  • afeaf8bd61f70fc51fbde7aa63f5d8ad96964f40b7d7fce1012a0b842c83273e
  • 7fc54a287c08cde70fe860f7c65ff71ade24dfeedafdfea62a8a6ee57cc91950
  • 5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6
  • 470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3
  • 1a87e1b41341ad042711faa0c601e7b238a47fa647c325f66b1c8c7b313c8bdf
  • a78cc475c1875186dcd1908b55c2eeaf1bcd59dedaff920f262f12a3a9e9bfa8
  • 4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5
  • 02e8ea9a58c13f216bdae478f9f007e20b45217742d0fbe47f66173f1b195ef5
Download all indicators here!

Attack Patterns

  • Bluelight
  • BirdyClient
  • Graphon
  • SiestaGraph
  • Graphite
  • Graphican
  • Ketrican
  • T1573
  • T1071
  • T1102
  • T1132
  • T1041
  • T1566