Exfiltration Over Web Service: Exfiltration Over Webhook

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.[1] Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.[2] When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.

Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated Automated Exfiltration of emails, chat messages, and other data.[3] Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.[4]

Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.[5][6][7]

ID: T1567.004
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: Google Workspace, Linux, Office 365, SaaS, Windows, macOS
Contributors: Sunders Bruskin, Microsoft Threat Intelligence; Yossi Weizman, Microsoft Threat Intelligence
Version: 1.0
Created: 20 July 2023
Last Modified: 12 October 2023


ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers.


ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks.

DS0017 Command Command Execution

Monitor executed commands and arguments that may exfiltrate data to a webhook as a malicious command and control channel. Additionally, monitor commands that may create new webhook configurations in SaaS services - for example, gh webhook forward in Github or mgc subscriptions create in Office 365.[8][9]

DS0022 File File Access

Monitor for files being accessed to exfiltrate data to a webhook as a malicious command and control channel.

DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.