When Graphs Go Bad: Adversarial Use of Microsoft Graph API for C2 and Evasion
Microsoft Graph API is the backbone of modern Microsoft 365 environments — a single interface to access and manipulate data across services like OneDrive, Outlook, Azure AD, and Teams. It’s what makes the Microsoft cloud ecosystem so powerful for developers and administrators alike. But that same power and ubiquity also make Graph API an incredibly appealing vector for threat actors.
Consolidation around cloud-first infrastructure, particularly in government and large commercial, incentivizes adversary usage of cloud-native functions. Frankly, we are increasingly seeing cloud-only events that don’t bother with on-premises compromises at all. Why bother when the desired data is in the cloud in the first place? And – when your tactics blend in with the rest of the cloud’s legitimate activity?
Over the last few years, sophisticated adversaries — including the “big four” nation-state actors — have increasingly baked Microsoft Graph into their post-compromise playbooks. By using Graph for command-and-control (C2), reconnaissance, persistence, and even exfiltration, they blend malicious traffic into legitimate cloud workflows. And because Graph API usage is expected and noisy in cloud-first organizations, defenders are often flying blind.
Once again, there’ s quite a lot of ink spilled covering individual incident post-mortems, but not much in the way of throughline analysis that captures how a tactic or technique can move and change as the years go by. This post explores the methods, tools, and procedures threat actors are using to abuse Graph API, with detailed case studies drawn from real campaigns.
First Instances (2020): APT29/NOBELIUM Manipulating Cloud Identity for Covert Access
APT29’s SolarWinds campaign in 2020 is remembered for its initial supply chain compromise — but an overlooked innovation was in how the group operated post-exploitation. After gaining access to target tenants, APT29 forged authentication tokens and impersonated privileged users, allowing them to manipulate Azure AD identity configurations.
Using these forged identities, they modified or created service principals with permissions to call Microsoft Graph on behalf of legitimate users. This meant they could read emails, monitor user activity, and exfiltrate data — all while appearing to operate as a normal internal application. This approach effectively let them live off the land in Microsoft’s own cloud, leveraging Graph API calls like Mail.Read, Mail.ReadWrite, and Directory.Read.All.
What set this apart from future campaigns was the use of the target’s own tenant and Graph permissions. Later actors would instead rely on attacker-controlled tenants to reach into victim environments. But APT29’s approach embedded malicious behavior inside trusted apps, making detection far more difficult. Traditional telemetry and SIEM rules struggled to flag these actions because, on paper, everything looked legitimate.
Attacker Tenants (2021): APT40 Evolving from Legacy APIs to OneDrive-Based Stealth C2
APT40’s early abuse of cloud APIs began before Graph even consolidated Microsoft’s services. In 2019, their implants called the deprecated Outlook Task API to receive commands via hidden Outlook tasks in attacker-controlled accounts. As Microsoft deprecated these APIs in late 2020, APT40 smoothly transitioned to Graph — and their operations didn’t miss a beat.
In one campaign, APT40 weaponized PowerShell Empire to communicate with attacker-owned OneDrive infrastructure. Malicious PowerShell was stored as .png files, uploaded to Graph endpoints that mimicked everyday file operations. Their implants then used Graph API to download, decrypt, and execute this content, looping every few seconds to check for new instructions. Within a PowerPoint maldoc sent via a phishing campaign, two payloads would execute, the first disabling a type check DisableActivitySurrogateSelectorTypeCheck as a preemptive requirement for second-stage infection, as well as a .NET binary which downloads, decrypts and runs a .png file.
This malicious .png file was actually PowerShell which downloads and uploads fake png files using the Microsoft Graph API to
https[:]//graph.microsoft[.]com/v1.0/drive/root:/onlinework/contact/$($ID)_1.png:/content
where $ID is the ID of the malware. The APT40 PowerShell was a modified version of the opensource PowershellEmpire toolkit. This toolkit allows an attacker to load additional modules to victim computers via Microsoft Graph API calls obfuscated as .png files (or any other configurable variation).
This shift to using their own tenant infrastructure gave them full control and stealth. No permissions were required from the target organization. The activity would not trigger consent prompts, and it wouldn’t leave logs in the victim’s Microsoft 365 tenant. From a network perspective, the implant was just accessing graph.microsoft.com — a completely normal operation in any O365-heavy environment.
APT40’s approach shows how easily attackers can turn Microsoft Graph into a fully functional C2 channel that looks native to the cloud. The only hints lie in file paths and usage patterns — both difficult to baseline or alert on in practice.
BLUELIGHT (2021): APT37 and Graph-Enabled Recon
North Korea’s APT37 group took a similar approach with their custom malware BLUELIGHT, deployed in a 2021 campaign targeting the Daily NK news site. BLUELIGHT began with typical delivery methods — watering hole scripts and Cobalt Strike beacons — but its unique value came from its use of Microsoft Graph for stealthy persistence and data collection.
Once executed, BLUELIGHT authenticated to Graph using hardcoded OAuth2 tokens and created a new subdirectory within an attacker-controlled OneDrive account. It then populated that folder with a structured set of subdirectories like logo, theme, and normal, each serving a different role in the C2 protocol.
The implant gathered a detailed system profile — including OS version, IP addresses, AV products, and more — encoded the data as a binary blob, and uploaded it to OneDrive as a .jpg file. After initial recon, BLUELIGHT shifted into C2 polling mode, uploading screenshots and retrieving new commands from predefined subfolders.
Later demonstrations by security researcher Bobby Cooke showed how this same style of malware could be extended to Outlook, using Graph to read and write from the Drafts folder in an attacker mailbox. The result was a fileless, scriptable beacon operating entirely through Microsoft Graph — and with no visibility inside the target tenant.
Graphite (2022): A Return to Empire with OAuth Obfuscation
In late 2021 and through 2022, Trellix and Cluster25 tracked a malware strain dubbed Graphite, targeting European government offices via malicious Office documents. Graphite heavily leveraged Microsoft Graph for its communication with attacker infrastructure, suggesting a retooled version of the classic Empire OneDrive stager.
Graphite implants were delivered via phishing documents exploiting CVE-2021-40444 and used DLL stagers to install the Graphite payload. Once active, the malware created a mutex to avoid reinfection, then entered a persistent loop: refreshing OAuth tokens every 20 minutes, polling OneDrive for new commands, and uploading results to specific folders.
In a 2022 variant, Graphite downloaded its payloads from OneDrive using .jpeg extensions, further blurring the line between benign and malicious traffic. Even its authentication process was stealthy — using hardcoded refresh tokens and attacker-owned client IDs to retrieve access tokens from login.microsoftonline.com. This enabled Graphite to operate entirely within trusted Microsoft domains while maintaining full control over the flow of data.
Detection in this case was theoretically possible by inspecting refresh token POST requests for unusual client IDs, but in practice, TLS encryption and Graph’s ubiquity make this difficult.
SIESTAGRAPH (2022): Fileless Outlook Draft C2 via Microsoft Graph API
In 2022, Elastic Security Labs documented a malware family dubbed SIESTAGRAPH, used by suspected Chinese threat actors in targeted espionage campaigns. The name reflects both the implant’s stealthy, almost dormant behavior — “siesta” — and its primary mechanism for command-and-control: interacting with Microsoft Outlook Draft folders via Microsoft Graph API.
What set SIESTAGRAPH apart was its fileless design. Rather than writing payloads to disk or establishing direct outbound connections, the implant authenticated to a compromised Office 365 account and used Graph API to poll the Drafts folder of Outlook mailboxes. Commands were retrieved from unsent draft messages, parsed, and executed in memory. The results were then encoded and sent back as new draft messages. Because these messages were never sent, they bypassed conventional email monitoring systems.
SIESTAGRAPH’s use of Graph API endpoints like GET /me/mailFolders(‘drafts’)/messages and PATCH /me/messages/{id} allowed it to operate entirely within the sanctioned Microsoft 365 ecosystem. This tactic eliminated the need for traditional C2 infrastructure and let the implant blend in with ordinary user activity — especially in organizations where email automation, shared inboxes, or CRM tools already generate Graph-based mailbox traffic.
This technique mirrored what would later be seen in FINALDRAFT and CMD365, making SIESTAGRAPH something of a blueprint for Graph-enabled C2. Its effectiveness lies not only in the covert communication method, but also in the lack of visibility most organizations have into Graph API mailbox operations — particularly when it comes to unsent items.
Defenders with access to detailed Microsoft 365 logs can attempt to flag repeated Graph access to draft folders or high-frequency message editing that doesn’t align with typical workflows. But in most cases, catching SIESTAGRAPH-like activity means correlating behavior across identity, endpoint, and Graph API telemetry — a challenge even for mature SOCs.
CreepyDrive (2022): POLONIUM and Cross-Cloud API C2
POLONIUM, a Lebanon-based actor believed to be linked with Iran’s Ministry of Intelligence and Security, added a different twist. In 2022, they were caught using a lightweight PowerShell backdoor dubbed CreepyDrive that accessed both OneDrive and Dropbox to execute commands, exfiltrate files, and download payloads.
CreepyDrive used hardcoded credentials and refresh tokens to authenticate via Graph API. Once authenticated, the implant ran in a continuous loop, checking a OneDrive-hosted data.txt file for instructions and writing results to response.json. Execution options included running PowerShell commands, uploading local files, or downloading additional payloads.
Each implant instance communicated with its own attacker-controlled OneDrive account, avoiding shared indicators. Because all requests were made via Graph API and used native PowerShell cmdlets (Invoke-WebRequest), defenders had little telemetry to rely on — especially since Graph calls appeared indistinguishable from standard OneDrive usage.
This technique once again highlighted the appeal of Graph: a free, stealthy, and cloud-native C2 mechanism requiring no infrastructure setup beyond a Microsoft account.
Graphican (2023): APT15’s Evolution of Cloud-Based Espionage
In June 2023, Symantec discovered Backdoor.Graphican, which was being used by the Flea (aka APT15, Nickel) advanced persistent threat (APT) group in an espionage campaign heavily focused on foreign affairs ministries in the Americas. Graphican is an evolution of an older Flea backdoor known as Ketrican, which itself was based on a previous malware—BS2005—that was also used by Flea.
Graphican has the same functionality as Ketrican, but its new features included the use of the Microsoft Graph API and OneDrive to obtain its C&C infrastructure. The most noteworthy aspect of Graphican is its abuse of the Microsoft Graph API and OneDrive to obtain its C&C server. The fact that a similar technique was used by Swallowtail, an unconnected APT group operating out of a different region, is also worth noting. Once a technique is used by one threat actor, we often see other groups follow suit, so it will be interesting to see if this technique is something we see being adopted more widely by other APT groups and cyber criminals.
GoGra (2023): Command-and-Control Over Outlook Mailboxes
In late 2023, researchers at Symantec uncovered a new Go-based backdoor named GoGra, targeting a media organization in South Asia. At first glance, it’s a straightforward backdoor — but what makes it stand out is how it leverages Microsoft Graph API to interact with Outlook mailboxes for covert command-and-control.
The malware authenticates to a Microsoft account and reads emails from an attacker-created user with the name “FNU LNU.” Commands are embedded in email messages with subjects beginning with “Input.” GoGra uses the Graph API to access these messages, decrypt their contents via AES-256 in CBC mode, and execute the resulting commands locally. Once execution is complete, the output is encrypted and exfiltrated by crafting a new message with the subject “Output” — again, sent through Graph API.
This technique exemplifies the evolution of cloud-native C2. Rather than spinning up traditional C2 infrastructure, GoGra rides on the back of Microsoft’s own mail infrastructure, with all its legitimate encryption and authentication workflows. To an observer, this looks like a user reading and sending email through Microsoft 365 — nothing more.
Grager (2024): Hiding in OneDrive File Transfers
By early 2024, Microsoft Graph had become such a reliable mechanism for evasion that another campaign emerged using a similar approach — this time with a malware family called Grager, deployed against organizations in Taiwan, Hong Kong, and Vietnam. Believed to be the work of a suspected Chinese APT (UNC5330), Grager leveraged Microsoft OneDrive as a storage-based C2 channel, with all communication handled through Graph API.
Once executed on a victim machine, Grager used Graph API endpoints to interact with specific folders in an attacker-controlled OneDrive account. Commands and payloads were stored as benign-looking files, which were retrieved via GET requests. Outputs or staged data were then uploaded back to the same OneDrive using PUT requests — all routed through Graph API’s drive endpoints. This kept C2 traffic well within the boundaries of trusted domains and encryption.
Much like APT40’s earlier PNG-based payload stagers, Grager’s abuse of OneDrive via Graph highlights the ongoing trend of attackers preferring infrastructure they don’t have to own. The lack of OAuth consent prompts and minimal visibility in target tenants makes this technique ideal for long-term persistence.
BirdyClient (2024): OneDrive as a Stealthy C2 Server
In 2024, Symantec researchers identified a previously undocumented malware dubbed BirdyClient (also known as OneDriveBirdyClient) deployed in Ukraine. This malware utilized a DLL file that mimicked a legitimate DLL associated with the application Apoint and connected to Microsoft Graph API to use OneDrive as a C2 server for uploading and downloading files.
The exact distribution method of the DLL file remains unclear, as does the full scope of the attackers’ objectives and identities. The increasing reliance on Microsoft Graph API by attackers is partly driven by the API’s ability to camouflage malicious communications with legitimate traffic to widely used cloud services, which are less likely to arouse suspicion.
CMD365 (2024): Email Folder C2, Masquerading as Postman
Another 2024 campaign introduced CMD365, a .NET-based backdoor that disguised itself as the legitimate Postman application. What set it apart wasn’t the disguise, but how it abused Graph API to turn Outlook inbox folders into a control panel.
Using hardcoded credentials, CMD365 authenticated to Microsoft 365 and created unique folders in Outlook for each infected machine. It would then poll those folders via Graph API calls, searching for messages that contained encoded commands. These commands were executed locally, and the results were posted back by generating new emails — all orchestrated through standard Graph API calls like GET /messages, POST /sendMail, and folder manipulation endpoints.
This approach offers multiple advantages. It blends into environments where email traffic is high, leverages existing cloud infrastructure, and requires no external server that might trigger traditional network alerts. The malware’s access pattern looks like an application syncing folders and processing mail — exactly what many business apps do every day.
Havoc Framework: Post-Exploitation via SharePoint
Threat actors didn’t just stop at Outlook and OneDrive. In 2024, a phishing campaign using the Havoc post-exploitation framework integrated SharePoint into its C2 workflow using Graph API as the transport mechanism. This marked a growing trend of turning Microsoft’s own collaboration tools into covert infrastructure.
The attack started with an HTML phishing payload that redirected victims to a SharePoint-hosted PowerShell script. Once the Havoc Demon agent was deployed, it used Microsoft Graph API to communicate with the attacker-controlled SharePoint site. All command-and-response traffic was stored in SharePoint documents, encoded in AES-256 CTR mode and retrieved via Graph API file calls.
This campaign demonstrated how flexible the Graph API model really is. The attacker didn’t need an external domain or even a VPS — SharePoint did the heavy lifting. Graph API allowed the agent to blend into enterprise collaboration traffic, creating a challenge for defenders relying on URL filtering or domain-based detection. The SharePoint activity looked like legitimate file collaboration, but it was actually a full-featured C2 channel.
FastHTTP Brute-Force Campaign: High-Speed Identity Attacks
While most Graph abuse campaigns focus on stealthy post-compromise techniques, the FastHTTP brute-force campaign identified in early 2025 shifted focus to initial access. Attackers leveraged the high-speed fasthttp Go library to launch brute-force login attempts against Azure Active Directory endpoints, including those used in Graph API authentication flows.
Using POST requests to login.microsoftonline.com, attackers spammed user credentials and multi-factor authentication prompts at high frequency. Because the Graph API is central to Azure AD identity functions, many of these requests funneled through Graph authentication handlers. Attackers used known email formats and predictable usernames to spray common passwords, and in some cases, succeeded in accessing accounts or triggering excessive MFA prompts.
Roughly 10% of attempts were reportedly successful, with follow-up activity showing signs of persistent access and lateral movement. Unlike the other use-cases which leveraged Graph API for stealthy persistence, this campaign weaponized it for sheer scale and speed.
From a detection perspective, this type of abuse is harder to hide. But because it uses the same Graph endpoints as legitimate apps and logins, it still presents a challenge unless login telemetry is tightly integrated with behavioral baselining and geographic analysis.
FINALDRAFT (2025): Outlook Drafts as a Covert C2 Channel
In early 2025, Elastic Security Labs uncovered a sophisticated malware strain named FINALDRAFT, targeting a foreign ministry. This malware leveraged Microsoft Outlook’s Drafts folder, accessed via the Microsoft Graph API, as a command-and-control (C2) channel. By utilizing Outlook drafts, the malware could send and receive commands without triggering traditional email monitoring tools.
FINALDRAFT operates in conjunction with a custom loader called PATHLOADER, which downloads and executes encrypted shellcode to initiate the malware’s deployment. Once activated, FINALDRAFT uses the Microsoft Graph API to interact with Outlook’s draft email folder for C2 communications. Commands are received via drafts created by attackers, and responses are sent back in new drafts, avoiding detection by traditional email monitoring tools.
The malware includes 37 command handlers enabling actions such as process injection, file manipulation, and network proxying. It also supports advanced techniques like executing PowerShell commands without invoking “powershell.exe” and using stolen NTLM hashes for lateral movement. Additionally, FINALDRAFT employs obfuscation techniques like string encryption and API hashing to evade static analysis.
This technique is not isolated; similar abuse of the Graph API has been observed in previous malware campaigns like SIESTAGRAPH and Grager. Such attacks exploit trusted cloud services to mask malicious activities within legitimate traffic patterns, complicating detection efforts. Elastic Security Labs also identified a Linux variant of FINALDRAFT, indicating cross-platform capabilities.
Hunting Microsoft Graph Abuse: What Defenders Should Look For
Detecting Graph API abuse isn’t easy — and that’s precisely why threat actors love it. The API’s versatility, ubiquity, and encryption make it a perfect candidate for hiding in plain sight. But as with any tactic, patterns emerge. While adversaries can blend in with normal traffic, they can’t operate without leaving some trace behind. Defenders just have to know where to look.
Here’s a breakdown of hunting strategies that can help uncover malicious Graph API activity, from network anomalies to process behaviors — with a few practical tricks for SOC analysts.
Don’t Discount the Classics: MailItemsAccessed Remains a Solid Strategy
In the wake of the SolarWinds campaign, Microsoft introduced the MailItemsAccessed audit log action to address a crucial blind spot: programmatic mailbox access via Microsoft Graph API and EWS that previously went undetected. This event now allows security teams to detect when mail items are accessed by applications — such as service principals — rather than end users. Malicious use of this access, such as what APT29 leveraged to silently read executive email without triggering standard user audit logs, can be surfaced by filtering for unusual application IDs, access outside business hours, or unauthorized delegated access to sensitive mailboxes. A simple baseline helps: identify all known and approved app IDs in your environment and alert on any deviations.
AuditLogs
| where Operation == "MailItemsAccessed"
| where LogonType in ("Delegate", "Application")
| where ClientAppId !in ("<known_app_id_1>", "<known_app_id_2>")
| project TimeGenerated, UserId, ClientAppId, LogonType, UserAgent, ApplicationId
Detection becomes even more effective when correlated with Azure AD sign-in and token issuance logs. Malicious Graph API abuse typically involves OAuth refresh tokens issued to unfamiliar apps or client IDs outside your organization’s control. High-frequency polling, external tenant app registrations, and consent grants using risky scopes like Mail.ReadWrite should raise flags. SOCs can hunt for non-interactive sign-ins paired with access to mailbox folders like Drafts, especially if the same mailbox is accessed repeatedly using an application identity.
SigninLogs
| where AppDisplayName !in ("Office 365 Exchange Online", "Outlook", "YourKnownApps")
| where ConditionalAccessStatus != "success"
| where ResourceDisplayName == "Microsoft Graph"
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Status, AuthenticationRequirement
Finally, any detection strategy should include behavioral patterns: Graph-based implants need to poll regularly, so look for repetitive GET requests to mailFolders or driveItem endpoints. Track which processes are reaching out to graph.microsoft.com from endpoints — especially unsigned binaries, PowerShell spawn points, or DLLs side-loaded in memory. The goal isn’t just to catch access — it’s to recognize the adversary’s operational rhythm. Attackers may hide behind Microsoft’s trusted cloud infrastructure, but they still need to come up for air. These audit and identity signals are your way of catching them in the act.
Look for Anomalies in Graph API URI Patterns
Even in cloud-first environments, Graph traffic isn’t completely random. Microsoft applications follow fairly consistent URI patterns when interacting with Graph endpoints. Malicious usage, on the other hand, often involves access to unusual file paths, custom OneDrive directories, or mailbox folders that deviate from standard usage.
While searching for exact Graph API URLs from previous APT campaigns (drive/root:/onlinework/contact/…, for example) won’t yield much in the long run, identifying new or rarely seen paths can be a powerful signal. Behavioral baselining — particularly around Graph URIs involving drive/, me/messages, or drafts — can help spot suspicious deviations, especially if the same path is accessed repeatedly in a short time frame.
Pattern Graph Request Frequency and Method Types
Graph API-based C2 often involves polling. Implants need to check for new commands (typically using GET requests), exfiltrate data (PUT or PATCH), and regularly refresh OAuth tokens (POST to /token endpoints). While each individual request may look normal, the combined pattern — high-frequency or scheduled polling to specific Graph endpoints — can give it away.
Look for:
- Periodic access to the same driveItem or message ID
- Unusual volume of GET or PUT requests to graph.microsoft.com
- Recurrent POST requests to /oauth2/v2.0/token outside of normal token lifetimes
- Implants that make requests at rigid intervals (e.g. every 30 seconds)
Behavioral clustering and temporal analysis can highlight these patterns when a single request would not raise suspicion.
Correlate Client IDs in OAuth Flows
Every legitimate Graph interaction tied to an application uses a registered client_id. You should know yours. Monitoring for OAuth token exchanges involving unknown or suspicious client_id values — especially during initial POST requests to login.microsoftonline.com — is a high-value detection method.
When an adversary is using their own tenant to reach into yours (as many now do), their client_id won’t match your own application’s registered values. Catching unknown client_ids or tokens being requested from an unfamiliar redirect URI (urn:ietf:wg:oauth:2.0:oob, for example) can tip you off to external abuse.
Bonus: If you’re collecting decrypted network traffic or proxy logs, this becomes much easier. If not, identity-based SIEM integrations or token introspection (if supported) can be leveraged internally.
Use EDR to Link Processes and Domain Lookups
Graph implants may run in-memory, load as DLLs, or even hijack trusted binaries to remain stealthy — but they still need to resolve graph.microsoft.com. A powerful detection strategy is to correlate which processes are generating DNS requests to Graph endpoints.
You’re not looking for Word, Outlook, or a signed Microsoft binary here. You’re looking for unusual or rare binaries — often DLL sideloaded tools or unsigned payloads — initiating outbound Graph lookups.
If your EDR platform supports process-to-DNS correlation, this technique can surface suspicious implant behavior, especially in cases like FINALDRAFT or Graphite, where custom malware impersonates trusted DLLs or persists quietly within the host.
Correlate Suspicious PowerShell and Local File Activity
Almost every Graph-based C2 tool eventually executes something locally. That includes decoding payloads from OneDrive, writing output to temp directories, executing PowerShell commands, or interacting with COM objects.
Focus on:
- PowerShell instances that don’t invoke powershell.exe directly (e.g. via rundll32.exe, mshta.exe, or WMI)
- Scripts interacting with Graph API endpoints using Invoke-WebRequest or Invoke-RestMethod
- File writes to system or user directories involving unexpected formats like .jpg, .png, or .dat that are actually encoded data
- Unusual DLLs or processes that spawn Powershell or load .NET assemblies
Correlate these host-level artifacts with outbound network Graph traffic to stack the signals together.
Look for Token Abuse Across Tenants
Some Graph-based malware abuses refresh tokens that don’t belong to the tenant it’s operating in — especially in attacks where the implant communicates with a remote, attacker-controlled O365 account. This manifests as:
- Token refresh activity (POST /token) from your tenant pointing to a client ID that isn’t yours
- Cross-tenant file activity — your users accessing OneDrive accounts not provisioned by your org
- Draft message manipulation in mailboxes that aren’t part of normal workflows
Many identity and security platforms (e.g. Defender for Cloud Apps, Okta, Azure AD logs) now offer visibility into these tenant boundaries. Monitor for out-of-bound refresh token usage or mailbox interactions between unrelated accounts.
Monitor for Unusual Draft or Shared Mailbox Activity
Techniques like FINALDRAFT and AzureOutlookC2 rely on reading and writing draft emails via Graph API. In some cases, these messages are never sent — they’re just used as a covert channel between attacker and implant.
SOC teams should monitor for:
- Unusual access patterns to the drafts folder via API
- Frequent reads and writes from service principals that don’t normally interact with mailboxes
- Drafts being created and deleted in short succession
- Shared mailboxes being accessed outside business hours or from new IPs
This is especially effective in environments where draft folder access is rare or limited to specific workflows.
Conclusion
Microsoft Graph abuse isn’t going away — and the detection surface is subtle, spread across identity, endpoint, and cloud layers. But by thinking like an attacker and watching for the architectural patterns they must rely on (frequent polling, unknown tenants, predictable timing, uncommon URI paths), defenders can still carve out detection space in this otherwise gray area of traffic.
Your best bet? Correlate signals across layers. A single POST to graph.microsoft.com means little. But when paired with suspicious PowerShell, a DNS lookup from an unsigned binary, and access to an unfamiliar client_id — now you’ve got a story worth investigating.