MITRE ATT&CK Technique
Description
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server) Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-07-20T15:30:55.763Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may exfiltrate data to a webhook endpoint rather '
'than over their primary command and control channel. Webhooks '
'are simple mechanisms for allowing a server to push data over '
'HTTP/S to a client without the need for the client to '
'continuously poll the server.(Citation: RedHat Webhooks) Many '
'public and commercial services, such as Discord, Slack, and '
'`webhook.site`, support the creation of webhook endpoints '
'that can be used by other services, such as Github, Jira, or '
'Trello.(Citation: Discord Intro to Webhooks) When changes '
'happen in the linked services (such as pushing a repository '
'update or modifying a ticket), these services will '
'automatically post the data to the webhook endpoint for use '
'by the consuming application. \n'
'\n'
'Adversaries may link an adversary-owned environment to a '
'victim-owned SaaS service to achieve repeated [Automated '
'Exfiltration](https://attack.mitre.org/techniques/T1020) of '
'emails, chat messages, and other data.(Citation: Push '
'Security SaaS Attacks Repository Webhooks) Alternatively, '
'instead of linking the webhook endpoint to a service, an '
'adversary can manually post staged data directly to the URL '
'in order to exfiltrate it.(Citation: Microsoft SQL Server)\n'
'\n'
'Access to webhook endpoints is often over HTTPS, which gives '
'the adversary an additional level of protection. Exfiltration '
'leveraging webhooks can also blend in with normal network '
'traffic if the webhook endpoint points to a commonly used '
'SaaS application or collaboration service.(Citation: CyberArk '
'Labs Discord)(Citation: Talos Discord Webhook '
'Abuse)(Citation: Checkmarx Webhooks)',
'external_references': [{'external_id': 'T1567.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1567/004'},
{'description': ' Jossef Harush Kadouri. (2022, March '
'7). Webhook Party — Malicious '
'packages caught exfiltrating data '
'via legit webhook services. '
'Retrieved July 20, 2023.',
'source_name': 'Checkmarx Webhooks',
'url': 'https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191'},
{'description': 'CyberArk Labs. (2023, April 13). The '
'(Not so) Secret War on Discord. '
'Retrieved July 20, 2023.',
'source_name': 'CyberArk Labs Discord',
'url': 'https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord'},
{'description': 'D. (n.d.). Intro to Webhooks. '
'Retrieved July 20, 2023.',
'source_name': 'Discord Intro to Webhooks',
'url': 'https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks'},
{'description': 'Microsoft Threat Intelligence. '
'(2023, October 3). Defending new '
'vectors: Threat actors attempt SQL '
'Server to cloud lateral movement. '
'Retrieved October 3, 2023.',
'source_name': 'Microsoft SQL Server',
'url': 'https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/'},
{'description': 'Nick Biasini, Edmund Brumaghin, '
'Chris Neal, and Paul Eubanks. (2021, '
'April 7). '
'https://blog.talosintelligence.com/collab-app-abuse/. '
'Retrieved July 20, 2023.',
'source_name': 'Talos Discord Webhook Abuse',
'url': 'https://blog.talosintelligence.com/collab-app-abuse/'},
{'description': 'Push Security. (2023, July 31). '
'Webhooks. Retrieved August 4, 2023.',
'source_name': 'Push Security SaaS Attacks '
'Repository Webhooks',
'url': 'https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md'},
{'description': 'RedHat. (2022, June 1). What is a '
'webhook?. Retrieved July 20, 2023.',
'source_name': 'RedHat Webhooks',
'url': 'https://www.redhat.com/en/topics/automation/what-is-a-webhook'}],
'id': 'attack-pattern--43f2776f-b4bd-4118-94b8-fee47e69676d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'exfiltration'}],
'modified': '2025-04-15T19:58:26.901Z',
'name': 'Exfiltration Over Webhook',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Yossi Weizman, Microsoft Threat Intelligence',
'Sunders Bruskin, Microsoft Threat Intelligence'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows',
'macOS',
'Linux',
'SaaS',
'Office Suite',
'ESXi'],
'x_mitre_version': '1.2'}