Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-WebhookAbuse-Exfiltration.

Upgrade to Pro
THREAT-WebhookAbuse-Exfiltration

Data Exfiltration via Abused Chat/Collaboration Webhooks

Exfiltration Last updated:

Adversaries and commodity malware increasingly exfiltrate collected data by POSTing it directly to a webhook URL belonging to a legitimate chat/collaboration platform (Discord, Slack, Microsoft Teams, Telegram Bot API) rather than to attacker-registered infrastructure. Because the destination is a trusted, widely-used SaaS domain (discord.com, hooks.slack.com, api.telegram.org, webhook.office.com), traffic blends with normal business or personal use and is rarely blocked by domain-category web filtering. Commodity infostealers (RedLine, Raccoon, and numerous Discord-webhook-based stealer builders sold on criminal forums) hardcode a webhook URL and POST harvested browser credentials, cookies, and system information as a JSON body immediately after collection. This differs from the HTTP-header-smuggling pattern already in this corpus (which hides data in header fields to evade body inspection) and from the cloud-storage rclone/AzCopy pattern (which uses dedicated sync tooling) by keying on two distinct signals: (1) an outbound POST request to a known webhook endpoint pattern (discord.com/api/webhooks/, hooks.slack.com/services/, api.telegram.org/bot) originating from a process that is not the platform's own client application, and (2) a JSON request body of unusual size or containing high-entropy/Base64-encoded content, since legitimate webhook integrations (CI/CD notifications, monitoring alerts) post small, low-entropy structured payloads.

What is THREAT-WebhookAbuse-Exfiltration Data Exfiltration via Abused Chat/Collaboration Webhooks?

Data Exfiltration via Abused Chat/Collaboration Webhooks (THREAT-WebhookAbuse-Exfiltration) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Data Exfiltration via Abused Chat/Collaboration Webhooks, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint (DeviceNetworkEvents, DeviceProcessEvents), Sysmon Event ID 1, 3, Proxy/web gateway logs. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let TimeWindow = 24h;
let WebhookDomains = dynamic(["discord.com", "discordapp.com", "hooks.slack.com", "api.telegram.org", "webhook.office.com", "outlook.office.com"]);
let LegitimateWebhookProcesses = dynamic(["teams.exe", "slack.exe", "discord.exe"]);
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where ActionType =~ "ConnectionSuccess"
| where RemoteUrl has_any (WebhookDomains)
| where RemoteUrl has_any ("/api/webhooks/", "/services/", "/bot")
| where InitiatingProcessFileName !in~ (LegitimateWebhookProcesses)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, RemoteUrl, RemoteIP, SentBytes
| extend ThreatType = "Exfil_WebhookAbuse"
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(TimeWindow)
    | where ProcessCommandLine has_any ("webhooks", "hooks.slack", "api.telegram.org", "FromBase64String", "ConvertTo-Json")
    | project DeviceName, AccountName, ScriptIndicatorCmd = ProcessCommandLine, ScriptTimestamp = Timestamp
  ) on DeviceName, AccountName
| where isempty(ScriptIndicatorCmd) or datetime_diff('minute', Timestamp, ScriptTimestamp) between (-5 .. 5)
| summarize
    PostCount = count(),
    TotalBytesSent = sum(SentBytes),
    Processes = make_set(InitiatingProcessFileName),
    SampleCommandLine = any(ScriptIndicatorCmd),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
  by DeviceName, AccountName, RemoteUrl
| extend RiskScore = iff(PostCount > 5 or TotalBytesSent > 50000, 80, 60)
| sort by RiskScore desc, PostCount desc

Detects data exfiltration via abused chat/collaboration webhooks by flagging outbound POST connections to known webhook domain patterns (Discord, Slack, Telegram Bot API, Microsoft Teams) that do not originate from the platform's own legitimate client application. Correlates with process-creation telemetry for scripting/encoding indicators (PowerShell FromBase64String/ConvertTo-Json, curl invocations referencing the same webhook domains) within a 5-minute window, then scores by POST frequency and total bytes sent — repeated or high-volume posts from a non-client process to a webhook URL are the strongest exfiltration signal.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint (DeviceNetworkEvents, DeviceProcessEvents) Sysmon Event ID 1, 3 Proxy/web gateway logs

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

  • Legitimate CI/CD pipeline notifications posting build status to a Slack or Teams incoming webhook from a build agent
  • Monitoring/alerting tools (Grafana, PagerDuty, Nagios) configured to post alerts to a Discord or Slack webhook
  • Internal automation scripts (approved by IT) that relay application events to a team's Slack/Teams channel via webhook
  • Telegram or Discord bot integrations used for legitimate business notifications

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration via Abused Chat/Collaboration Webhooks (THREAT-WebhookAbuse-Exfiltration) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Exfiltration of Collected Data via Webhook-Style POST

    Expected signal: Sysmon Event ID 1: powershell.exe with ConvertTo-Json/FromBase64String-style command line. Sysmon Event ID 3: powershell.exe connecting to 127.0.0.1:8080 with a URI path matching /api/webhooks/. Proxy/packet capture (if present) shows a JSON POST body.

  2. Test 2Linux curl Chunked Exfiltration via Simulated Slack Incoming Webhook

    Expected signal: auditd/Sysmon-for-Linux: execve records for curl and connect() calls to 127.0.0.1:8080 at ~1-second intervals, six POSTs with a URI path matching /services/.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-WebhookAbuse-Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.