Full Report
Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q1 2026, a report built on frontline threat intelligence from our global incident response investigations across LevelBlue.
Analysis Summary
# Tool/Technique: Identity-Driven Cloud Exfiltration (via Microsoft Graph API)
## Overview
This technique represents an evolution from endpoint-centric attacks to identity-driven intrusions targeting cloud control planes (specifically Microsoft 365). Threat actors use stolen OAuth tokens and automated scripts to interact with the Microsoft Graph API, allowing them to exfiltrate vast amounts of corporate data without triggering traditional security alerts or deploying traceable malware files.
## Technical Details
- **Type**: Technique (Abuse of Cloud APIs)
- **Platform**: Microsoft 365 (Exchange Online, OneDrive, SharePoint)
- **Capabilities**: Large-scale data collection, automated email harvesting, bypassing EDR/AV, identity impersonation.
- **First Seen**: Reported as a dominant trend in Q1 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]
- [T1078.004 - Valid Accounts: Cloud Accounts]
- **[TA0007 - Discovery]**
- [T1087.003 - Account Discovery: Cloud Account]
- **[TA0009 - Collection]**
- [T1530 - Data from Cloud Storage Object]
- [T1114.002 - Email Collection: Remote Email Services]
- **[TA0010 - Exfiltration]**
- [T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage]
## Functionality
### Core Capabilities
- **OAuth Token Abuse**: Leveraging compromised tokens to maintain access without needing the user's password.
- **Graph API Scripting**: Using malicious scripts to programmatically query and download data from SharePoint, OneDrive, and Outlook.
- **Cloud Control Plane Access**: Attacking the management layer of the cloud environment rather than the individual workstation.
### Advanced Features
- **Low-Noise Operations**: Because the technique uses native, legitimate Microsoft APIs, it often bypasses Endpoint Detection and Response (EDR) tools that monitor for malicious process execution.
- **AI-Enhanced Discovery**: Use of native AI tools within the environment to locate sensitive internal data and move laterally with minimal detection.
## Indicators of Compromise
- **File Hashes**: N/A (Standardized scripts often vary; focus is on API activity).
- **File Names**: Look for unauthorized PowerShell or Python scripts interacting with `graph.microsoft[.]com`.
- **Registry Keys**: N/A.
- **Network Indicators**:
- Increased traffic to `graph.microsoft[.]com` from unusual IP addresses.
- Unexpected connections to `teams.microsoft[.]com` from external/untrusted tenants.
- **Behavioral Indicators**:
- Rapid, automated requests to Microsoft Graph for "All Files" or "All Mailboxes."
- Successful logins from unusual geolocations followed by OAuth application registration.
- External Microsoft Teams accounts initiating calls or messages to internal IT/Help Desk STAFF.
## Associated Threat Actors
- **ShinyHunters**
- Other BEC-focused groups transitioning to data extortion.
## Detection Methods
- **Log Analysis**: Monitoring Microsoft 365 Unified Audit Logs (UAL) for unusual `MailItemsAccessed` or `FileSyncDownloaded` operations.
- **Behavioral Detection**: Alerting on the creation of high-privilege OAuth applications or "App-only" permissions in Azure AD.
- **Anomalous Traffic**: Identifying high-volume data transfers via Graph API that deviate from a user's standard baseline.
## Mitigation Strategies
- **Prevention**: Enforce Phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys.
- **Hardening**:
- Restrict the ability of users to consent to third-party applications (OAuth).
- Disable "External Access" in Microsoft Teams or whitelist specifies trusted domains.
- Implement Conditional Access policies that require compliant, managed devices for cloud access.
- **Detection**: Enable and monitor Office 365 Advanced Auditing.
## Related Tools/Techniques
- **Business Email Compromise (BEC)**: The precursor to this technique.
- **Microsoft Teams Social Engineering**: Used to gain initial credentials or trick users into downloading "support" tools.
- **Living-off-the-Cloud (LotC)**: The broader strategy of using native cloud features for malicious purposes.