title: Exfiltration Over Web Service (T1567)
id: df00tech-t1567
status: experimental
description: "Adversaries may use an existing, legitimate external web service to exfiltrate data rather than their primary command and control channel. Popular web services acting as an exfiltration mechanism may give significant cover because hosts within a network are likely already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Observed real-world abuse includes exfiltration to Telegram (Magic Hound, Contagious Interview), cloud storage (APT28 to Google Drive, Exbyte/BlackByte to Mega.co.nz), code repositories, file-sharing services (anonymfiles.com, file.io), and Microsoft Exchange Web Services (OilCheck, SampleCheck5000)."
references:
  - https://attack.mitre.org/techniques/T1567/
  - https://df00tech.com/detections/T1567
author: df00tech
date: 2026/04/21
tags:
  - attack.t1567
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers legitimately pushing code to GitHub, GitLab, or Bitbucket from workstations — especially large repositories or LFS objects"
  - "IT automation scripts (SCCM, Intune, Ansible) uploading diagnostics or configuration files to cloud storage like OneDrive or S3"
  - "Employees using Telegram, Discord, or Slack Desktop apps to share work files — the initiating process may be a browser or Electron app"
  - "Backup agents uploading to cloud storage providers (Dropbox, OneDrive, Google Drive sync clients) which generate continuous high-volume traffic"
  - Security tools or monitoring agents sending telemetry to SaaS platforms with large payloads
level: high