Hackers have been increasingly leveraging the Microsoft Graph API as a tool for malicious activities to avoid detection, with the Symantec Threat Hunter Team noting that threat actors are using the API to communicate with command-and-control infrastructure on Microsoft cloud services since January 2022. Various nation-state-aligned hacking groups like APT28 and APT29 have been identified using the Microsoft Graph API for C&C purposes. One recent instance involved the deployment of a previously undocumented malware named BirdyClient, which uses OneDrive as a C&C server
This method allows attackers to avoid raising suspicion in targeted organizations, as the traffic to popular cloud services like OneDrive is perceived as less threatening. Using Graph API not only provides a discreet communication channel but also offers a cost-effective and secure infrastructure for attackers, given that basic service accounts are free. The report also highlights how attackers can exploit cloud administration commands by compromising external entities with privileged access, ultimately enabling them to execute commands within compute instances or hybrid environments. ```https://thehackernews.com/2024/05/hackers-increasingly-abusing-microsoft.html