Wednesday, May 7, 2025
Homecyber securityNew Malware Abuses Microsoft Graph API to Communicate via Outlook

New Malware Abuses Microsoft Graph API to Communicate via Outlook

Published on

SIEM as a Service

Follow Us on Google News

A newly discovered malware, named FINALDRAFT, has been identified leveraging Microsoft Outlook as a command-and-control (C2) communication channel through the Microsoft Graph API.

This sophisticated malware was uncovered by Elastic Security Labs during an investigation targeting a foreign ministry.

The discovery highlights the growing trend of cybercriminals exploiting legitimate cloud services for covert operations, blending malicious activities with legitimate traffic.

- Advertisement - Google News

Technical Overview of FINALDRAFT

FINALDRAFT is a full-featured remote administration tool (RAT) written in C++ with advanced capabilities for espionage.

It operates in conjunction with a custom loader, PATHLOADER, which downloads and executes encrypted shellcode to initiate the malware’s deployment.

Microsoft Graph API

PATHLOADER & FINALDRAFT execution diagram

Once activated, FINALDRAFT uses the Microsoft Graph API to interact with Outlook’s draft email folder for C2 communications.

Commands are received via drafts created by attackers, and responses are sent back in new drafts, avoiding detection by traditional email monitoring tools.

The malware includes 37 command handlers enabling actions such as process injection, file manipulation, and network proxying.

It also supports advanced techniques like executing PowerShell commands without invoking “powershell.exe” and using stolen NTLM hashes for lateral movement.

Additionally, FINALDRAFT employs obfuscation techniques like string encryption and API hashing to evade static analysis.

Microsoft Graph API

CryptImportKey parameters

Exploitation of Microsoft Graph API

The Microsoft Graph API provides developers with access to Microsoft 365 services, including Outlook, OneDrive, and Teams.

Cybercriminals have increasingly abused this API for malicious purposes due to its seamless integration with legitimate services.

In FINALDRAFT’s case, the malware uses OAuth tokens to authenticate with the Graph API and establishes a persistent communication loop by creating and managing email drafts.

This technique is not isolated; similar abuse of the Graph API has been observed in previous malware campaigns like SIESTAGRAPH and Grager.

Such attacks exploit trusted cloud services to mask malicious activities within legitimate traffic patterns, complicating detection efforts.

Elastic Security Labs also identified a Linux variant of FINALDRAFT, indicating cross-platform capabilities.

While less feature-rich than its Windows counterpart, the Linux version supports multiple C2 transport protocols such as HTTP/HTTPS, reverse UDP, and Outlook via the Graph API.

This suggests ongoing development aimed at expanding its operational reach.

The discovery of FINALDRAFT underscores the sophistication of modern cyber threats leveraging cloud APIs for espionage.

Organizations are urged to monitor Indicators of Compromise (IOCs) associated with this malware and implement robust defenses against abuse of legitimate APIs like Microsoft Graph.

Security teams should consider:

  • Enforcing strict access controls for cloud services.
  • Monitoring anomalous activity in email drafts and OAuth token usage.
  • Employing endpoint detection tools capable of identifying process injection and obfuscated malware behavior.

As threat actors continue to refine their techniques, proactive measures are critical to safeguarding sensitive environments from advanced threats like FINALDRAFT.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...