Attackers are evading detection by leveraging the Microsoft Graph API, known for its use by developers to access resources on Microsoft cloud services. Symantec researchers highlighted how attackers find using Graph API less suspicious, cost-effective, and secure, with free basic accounts like Microsoft OneDrive. This method was exposed during the Harvester group incident in 2021 and more recently in an attack in Ukraine using a new malware called BirdyClient or OneDriveBirdyClient
Sophisticated threat actors like APT28 and APT29 are utilizing Microsoft Graph API to blend malicious communications with legitimate traffic, making it challenging for traditional security tools to detect. This technique allows attackers to maintain persistence in networks, extract valuable information, and control compromised environments efficiently. The inherent features of Microsoft Graph API make it an effective tool for malicious activities, as attackers can conceal their actions under the guise of normal traffic, thus reducing the risk of exposure. https://www.scmagazine.com/news/attackers-evade-detection-by-leveraging-microsoft-graph-api