New Malware Abuses Microsoft Graph API to Communicate via Outlook

A newly discovered malware, named FINALDRAFT, has been identified leveraging Microsoft Outlook as a command-and-control (C2) communication channel through the Microsoft Graph API.

This sophisticated malware was uncovered by Elastic Security Labs during an investigation targeting a foreign ministry.

The discovery highlights the growing trend of cybercriminals exploiting legitimate cloud services for covert operations, blending malicious activities with legitimate traffic.

Technical Overview of FINALDRAFT

FINALDRAFT is a full-featured remote administration tool (RAT) written in C++ with advanced capabilities for espionage.

It operates in conjunction with a custom loader, PATHLOADER, which downloads and executes encrypted shellcode to initiate the malware’s deployment.

Once activated, FINALDRAFT uses the Microsoft Graph API to interact with Outlook’s draft email folder for C2 communications.

Commands are received via drafts created by attackers, and responses are sent back in new drafts, avoiding detection by traditional email monitoring tools.

The malware includes 37 command handlers enabling actions such as process injection, file manipulation, and network proxying.

It also supports advanced techniques like executing PowerShell commands without invoking “powershell.exe” and using stolen NTLM hashes for lateral movement.

Additionally, FINALDRAFT employs obfuscation techniques like string encryption and API hashing to evade static analysis.

Exploitation of Microsoft Graph API

The Microsoft Graph API provides developers with access to Microsoft 365 services, including Outlook, OneDrive, and Teams.

Cybercriminals have increasingly abused this API for malicious purposes due to its seamless integration with legitimate services.

In FINALDRAFT’s case, the malware uses OAuth tokens to authenticate with the Graph API and establishes a persistent communication loop by creating and managing email drafts.

This technique is not isolated; similar abuse of the Graph API has been observed in previous malware campaigns like SIESTAGRAPH and Grager.

Such attacks exploit trusted cloud services to mask malicious activities within legitimate traffic patterns, complicating detection efforts.

Elastic Security Labs also identified a Linux variant of FINALDRAFT, indicating cross-platform capabilities.

While less feature-rich than its Windows counterpart, the Linux version supports multiple C2 transport protocols such as HTTP/HTTPS, reverse UDP, and Outlook via the Graph API.

This suggests ongoing development aimed at expanding its operational reach.

The discovery of FINALDRAFT underscores the sophistication of modern cyber threats leveraging cloud APIs for espionage.

Organizations are urged to monitor Indicators of Compromise (IOCs) associated with this malware and implement robust defenses against abuse of legitimate APIs like Microsoft Graph.

Security teams should consider:

• Enforcing strict access controls for cloud services.
• Monitoring anomalous activity in email drafts and OAuth token usage.
• Employing endpoint detection tools capable of identifying process injection and obfuscated malware behavior.

As threat actors continue to refine their techniques, proactive measures are critical to safeguarding sensitive environments from advanced threats like FINALDRAFT.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free