Hackers are increasingly utilizing Microsoft's own services, specifically the Microsoft Graph API, for command-and-control purposes in data theft activities. This approach is cost-effective and helps in flying under the radar of detection. Various cybercrime and espionage groups have adopted this technique, using tools like BirdyClient, Bluelight, Backdoor
Graphon, Graphite, and SiestaGraph, to name a few. By exploiting the Graph API, these malicious actors can blend their activities with legitimate network traffic, making it challenging to detect their intrusions. It is crucial for organizations to monitor and control connections to unsanctioned cloud accounts, like OneDrive, to prevent such attacks. The pervasiveness of this tactic highlights the need for heightened awareness and security measures against the misuse of legitimate cloud platforms for malicious activities. https://www.darkreading.com/cloud-security/microsoft-graph-api-emerges-as-top-attacker-tool-to-plot-data-theft