Skip to content

T1567 Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Item Value
ID T1567
Sub-techniques T1567.001, T1567.002, T1567.003, T1567.004
Tactics TA0010
Platforms ESXi, Linux, Office Suite, SaaS, Windows, macOS
Version 1.5
Created 09 March 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0622 AppleSeed AppleSeed has exfiltrated files using web services.4
G0007 APT28 APT28 can exfiltrate data over Google Drive.11
C0051 APT28 Nearest Neighbor Campaign During APT28 Nearest Neighbor Campaign, APT28 exfiltrated data over public-facing webservers – such as Google Drive.13
G1043 BlackByte BlackByte has used services such as anonymfiles.com and file.io to exfiltrate victim data.12
C0017 C0017 During C0017, APT41 used Cloudflare services for data exfiltration.16
G1052 Contagious Interview Contagious Interview has leveraged Telegram API to exfiltrate stolen data.8
S0547 DropBook DropBook has used legitimate web services to exfiltrate data.3
S1179 Exbyte Exbyte exfiltrates collected data to online file hosting sites such as Mega.co.nz.76
S1245 InvisibleFerret InvisibleFerret has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token.89
G0059 Magic Hound Magic Hound has used the Telegram API sendMessage to relay data on compromised devices.10
S0508 ngrok ngrok has been used by threat actors to configure servers for data exfiltration.1
S1171 OilCheck OilCheck can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account for exfiltration.2
C0059 Salesforce Data Exfiltration During Salesforce Data Exfiltration, threat actors exfiltrated data via legitimate Salesforce API communication channels including the Salesforce Data Loader application.1514
S1168 SampleCheck5000 SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve files for exfiltration.52

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers.
M1021 Restrict Web-Based Content Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

References

  1. Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020. 

  2. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. 

  3. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  4. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. 

  5. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  6. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. 

  7. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024. 

  8. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  9. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. 

  10. Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023. 

  11. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. 

  12. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024. 

  13. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025. 

  14. FBI Cyber Division. (2025, September 12). Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion. Retrieved October 22, 2025. 

  15. Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025. 

  16. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.