Graph: Growing number of threats leveraging Microsoft API

An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.

The technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes.

Read more…
Source: Symantec

Sign up for our Newsletter


  • US military notifies 20,000 of data breach after cloud email leak

    February 14, 2024

    The U.S. Department of Defense is notifying tens of thousands of individuals that their personal information was exposed in an email data spill last year. According to the breach notification letter sent out to affected individuals on February 1, the Defense Intelligence Agency — the DOD’s military intelligence agency — said, “numerous email messages were inadvertently ...

  • TicTacToe Dropper

    February 14, 2024

    While analyzing malware samples collected from several victims, the FortiGuard team identified a grouping of malware droppers used to deliver various final-stage payloads throughout 2023. Malware droppers are malicious software designed to deliver and execute additional malware on a victim system and are employed to obfuscate final payloads during load and initial execution. Droppers within this ...

  • Hacked Microsoft test account was assigned admin privileges

    January 27, 2024

    The hackers who recently broke into Microsoft’s network and monitored top executives’ email for two months did so by gaining access to an aging test account with administrative privileges, a major gaffe on the company’s part, a researcher said. The new detail was provided in vaguely worded language included in a post Microsoft published on Thursday. ...

  • HP Enterprise was hacked by the same Russian state-sponsored group that targeted Microsoft

    January 25, 2024

    HP Enterprise was infiltrated by a hacking group linked to Russian intelligence last year, the business IT company has revealed in a Securities and Exchange Commission filing. The threat actor is believed to be Midnight Blizzard, also known as Cozy Bear, which was the same group that recently breached the email accounts of several senior executives ...

  • Microsoft actions following attack by nation state actor Midnight Blizzard

    January 19, 2024

    The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium. Beginning in ...

  • Financially motivated threat actors misusing App Installer

    December 28, 2023

    Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware. In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to ...