Skip to content

T1567.004 Exfiltration Over Webhook

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.7 Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.3 When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.

Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated Automated Exfiltration of emails, chat messages, and other data.6 Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.4

Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.251

Item Value
ID T1567.004
Sub-techniques T1567.001, T1567.002, T1567.003, T1567.004
Tactics TA0010
Platforms ESXi, Linux, Office Suite, SaaS, Windows, macOS
Version 1.2
Created 20 July 2023
Last Modified 15 April 2025

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers.

References

  1. Jossef Harush Kadouri. (2022, March 7). Webhook Party — Malicious packages caught exfiltrating data via legit webhook services. Retrieved July 20, 2023. 

  2. CyberArk Labs. (2023, April 13). The (Not so) Secret War on Discord. Retrieved July 20, 2023. 

  3. D. (n.d.). Intro to Webhooks. Retrieved July 20, 2023. 

  4. Microsoft Threat Intelligence. (2023, October 3). Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement. Retrieved October 3, 2023. 

  5. Nick Biasini, Edmund Brumaghin, Chris Neal, and Paul Eubanks. (2021, April 7). https://blog.talosintelligence.com/collab-app-abuse/. Retrieved July 20, 2023. 

  6. Push Security. (2023, July 31). Webhooks. Retrieved August 4, 2023. 

  7. RedHat. (2022, June 1). What is a webhook?. Retrieved July 20, 2023.