Graph API Vulnerabilities on the Rise

Many application developers are still grappling with the integration challenge. Microsoft’s Graph API attempts to solve this problem, however, their solution comes with its own drawbacks.

Graph API Vulnerabilities on the Rise

Hyperscale cloud providers are constantly innovating, and bringing new services online to make it easier to build rich, complex, modern applications that can deal with the scale that only the cloud can support. One of the challenges that developers have around these services is integrating the new APIs so that they can build on these services. Microsoft has recognized that problem, and attempted to provide a solution, but the solution may come with downsides.

Developers use the Microsoft Graph API to access data from Microsoft 365 and a wide range of other services through a single RESTful API endpoint. With the Microsoft Graph API, developers can build applications that interact with and integrate seamlessly into Microsoft’s digital ecosystem.

However, bad actors have found ways to exploit the Graph API, usually by leveraging it to facilitate communication with command-and-control centers. 

Most recently, some malware was discovered in Ukraine by the name “BirdyClient” (also known as “OneDriveBirdyClient”) downloading files via a C2 server, though it is unclear to what end. And they are far from the only espionage group gathering data this way. In December 2022, Elastic Security documented an intrusion into the Office of Foreign Affairs deployed via a tool called SiestaGraph, a variant of malware that is still being continuously developed.

In fact, misuse of the Graph API is steadily rising as more and more bad actors realize that API traffic through the platform is unlikely to raise suspicion. And this is far from the only way to exploit Graph API- Security Boulevard wrote an article about hacking Graph API using Postman and hackers will never cease searching for new vulnerabilities.

There is no one-size-fits-all solution to this growing problem, however, monitoring API usage - both internal and third-party APIs -  is always a good idea. Strong API security starts with visibility, assessment and monitoring, and bonus points if you enforce strong authentication and authorization.

To learn how FireTail can help with your API security posture, schedule a free demo with us here: