Cyber Security News

New Malware Abuses Microsoft Graph API to Communicate via Outlook

A newly discovered malware, named FINALDRAFT, has been identified leveraging Microsoft Outlook as a command-and-control (C2) communication channel through the Microsoft Graph API.

This sophisticated malware was uncovered by Elastic Security Labs during an investigation targeting a foreign ministry.

The discovery highlights the growing trend of cybercriminals exploiting legitimate cloud services for covert operations, blending malicious activities with legitimate traffic.

Technical Overview of FINALDRAFT

FINALDRAFT is a full-featured remote administration tool (RAT) written in C++ with advanced capabilities for espionage.

It operates in conjunction with a custom loader, PATHLOADER, which downloads and executes encrypted shellcode to initiate the malware’s deployment.


PATHLOADER & FINALDRAFT execution diagram

Once activated, FINALDRAFT uses the Microsoft Graph API to interact with Outlook’s draft email folder for C2 communications.

Commands are received via drafts created by attackers, and responses are sent back in new drafts, avoiding detection by traditional email monitoring tools.

The malware includes 37 command handlers enabling actions such as process injection, file manipulation, and network proxying.

It also supports advanced techniques like executing PowerShell commands without invoking “powershell.exe” and using stolen NTLM hashes for lateral movement.

Additionally, FINALDRAFT employs obfuscation techniques like string encryption and API hashing to evade static analysis.


CryptImportKey parameters

Exploitation of Microsoft Graph API

The Microsoft Graph API provides developers with access to Microsoft 365 services, including Outlook, OneDrive, and Teams.

Cybercriminals have increasingly abused this API for malicious purposes due to its seamless integration with legitimate services.

In FINALDRAFT’s case, the malware uses OAuth tokens to authenticate with the Graph API and establishes a persistent communication loop by creating and managing email drafts.

This technique is not isolated; similar abuse of the Graph API has been observed in previous malware campaigns like SIESTAGRAPH and Grager.

Such attacks exploit trusted cloud services to mask malicious activities within legitimate traffic patterns, complicating detection efforts.

Elastic Security Labs also identified a Linux variant of FINALDRAFT, indicating cross-platform capabilities.

While less feature-rich than its Windows counterpart, the Linux version supports multiple C2 transport protocols such as HTTP/HTTPS, reverse UDP, and Outlook via the Graph API.

This suggests ongoing development aimed at expanding its operational reach.

The discovery of FINALDRAFT underscores the sophistication of modern cyber threats leveraging cloud APIs for espionage.

Organizations are urged to monitor Indicators of Compromise (IOCs) associated with this malware and implement robust defenses against abuse of legitimate APIs like Microsoft Graph.

Security teams should consider:

  • Enforcing strict access controls for cloud services.
  • Monitoring anomalous activity in email drafts and OAuth token usage.
  • Employing endpoint detection tools capable of identifying process injection and obfuscated malware behavior.

As threat actors continue to refine their techniques, proactive measures are critical to safeguarding sensitive environments from advanced threats like FINALDRAFT.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known as…

2 hours ago

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd)…

2 hours ago

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple…

2 hours ago

Hackers Use DLL Side-Loading to Deploy Malicious Python Code

A recent discovery by Xavier Mertens, a senior handler at the Internet Storm Center, has…

2 hours ago

Squid Werewolf Mimics Recruiters to Target Job Seekers and Steal Personal Data

In a sophisticated phishing campaign uncovered by the BI.ZONE Threat Intelligence team, the Squid Werewolf…

2 hours ago

DocSwap Malware Masquerades as Security Document Viewer to Attack Android Users Worldwide

The cybersecurity landscape has witnessed a new threat with the emergence of the DocSwap malware,…

2 hours ago