1. Home
  2. Techniques
  3. Enterprise
  4. Exfiltration Over Web Service
  5. Exfiltration Over Webhook

Exfiltration Over Web Service: Exfiltration Over Webhook

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage
T1567.003 Exfiltration to Text Storage Sites
T1567.004 Exfiltration Over Webhook

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.[1] Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.[2] When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.

Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated Automated Exfiltration of emails, chat messages, and other data.[3] Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.[4]

Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.[5][6][7]

ID: T1567.004
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: ESXi, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Sunders Bruskin, Microsoft Threat Intelligence; Yossi Weizman, Microsoft Threat Intelligence
Version: 1.2
Created: 20 July 2023
Last Modified: 15 April 2025
Version Permalink

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0153 Detection Strategy for Exfiltration Over Webhook AN0436

Unusual processes (e.g., powershell.exe, wscript.exe, mshta.exe) posting data to webhook endpoints (Discord, Slack, webhook.site) using HTTP POST/PUT requests. Defender perspective: suspicious process lineage followed by outbound HTTPS traffic to webhook domains.
AN0437

Processes such as curl, wget, or custom scripts initiating POST requests to webhook endpoints with encoded or bulk data. Defender perspective: abnormal chaining of file compression or access followed by outbound data to webhook URLs.
AN0438

Unexpected apps or scripts (osascript, curl, Automator workflows) exfiltrating data via webhooks. Defender perspective: correlation of clipboard/file read operations followed by HTTPS POST traffic to webhook services.
AN0439

VMware services or management daemons generating HTTP POST requests to webhook endpoints, chained with unusual datastore or log access. Defender perspective: exfiltration from VM logs or disk images over webhook URLs.
AN0440

Suspicious SaaS tenant activity involving webhook configurations pointing to external or untrusted domains. Defender perspective: repeated automated exports or suspicious webhook endpoint registrations.

References

  1. RedHat. (2022, June 1). What is a webhook?. Retrieved July 20, 2023.
  2. D. (n.d.). Intro to Webhooks. Retrieved July 20, 2023.
  3. Push Security. (2023, July 31). Webhooks. Retrieved August 4, 2023.
  4. Microsoft Threat Intelligence. (2023, October 3). Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement. Retrieved October 3, 2023.
  1. CyberArk Labs. (2023, April 13). The (Not so) Secret War on Discord. Retrieved July 20, 2023.
  2. Nick Biasini, Edmund Brumaghin, Chris Neal, and Paul Eubanks. (2021, April 7). https://blog.talosintelligence.com/collab-app-abuse/. Retrieved July 20, 2023.
  3. Jossef Harush Kadouri. (2022, March 7). Webhook Party — Malicious packages caught exfiltrating data via legit webhook services. Retrieved July 20, 2023.