DET0153: Detection Strategy for Exfiltration Over Webhook
DET0153 is a MITRE detection strategy object for detecting Exfiltration Over Webhook (T1567.004). Its practical value is that webhook-based data theft can...
Analyst context for executives and security teams
DET0153 is a MITRE detection strategy object for detecting Exfiltration Over Webhook (T1567.004). Its practical value is that webhook-based data theft can look like ordinary outbound HTTPS activity to common collaboration or automation services, so leadership should not assume perimeter logging alone proves coverage. The business question is whether the organization can distinguish legitimate webhook use from unusual data movement before sensitive data leaves controlled systems.
Executive priority
Treat this as a validation topic for data-loss readiness and SOC visibility rather than a standalone control. Because the related ATT&CK technique is in the exfiltration tactic and applies to environments including ESXi, Linux, macOS, and Office Suite, executives should ask whether approved webhook destinations are governed, whether outbound traffic is logged well enough for incident response, and whether evidence exists to support compliance or breach assessment decisions after suspected data loss.
Technical view
The supplied detection strategy has no official description, detection text, platforms, or tactics of its own. The only technical scope comes from its relationship to T1567.004, Exfiltration Over Webhook. SOC and detection engineering teams should therefore validate coverage around outbound HTTP/S posts to webhook-like endpoints, especially from the related platform areas: ESXi, Linux, macOS, and Office Suite. IR teams should confirm they can reconstruct source system, user or service identity, destination, timing, volume, and content classification where available.
Likely telemetry
- Outbound web proxy, secure web gateway, or firewall logs showing HTTP/S destinations, methods, timing, and byte counts
- DNS logs for webhook service domains or unusual newly observed destinations
- Endpoint process and network telemetry from Linux, macOS, and ESXi where available
- Office Suite audit logs for automation, connector, sharing, or outbound integration activity
- Data security or DLP events indicating sensitive content movement to external web services
Detection direction
- Inventory expected business use of webhooks and compare observed destinations against approved integrations to reduce false positives.
- Look for unusual outbound HTTP/S data volume, frequency, or destination patterns from systems that do not normally send webhook traffic.
- Correlate web destination activity with endpoint process context and identity activity; network-only logs may not explain whether a webhook transfer was authorized.
- Tune carefully for legitimate collaboration, DevOps, ticketing, and automation platforms, because webhook traffic can be normal business activity.
- Use the relationship to T1567.004 as the analytic anchor, since DET0153 itself provides no official detection logic or platform-specific guidance.
Mitigation priorities
- Establish governance for approved webhook services, owners, and business purposes.
- Restrict or monitor outbound access to unapproved webhook endpoints where policy and architecture allow.
- Require strong identity controls for accounts and automation that can create or use external integrations.
- Ensure logging retention and auditability for outbound web traffic, Office Suite activity, and relevant endpoint/network events.
- Pair monitoring with data handling controls such as DLP or content classification where sensitive data exfiltration risk is material.
Analyst notes and limits
This object is a detection strategy, not the underlying technique. The meaningful ATT&CK context is its detects relationship to T1567.004, Exfiltration Over Webhook. Glexia should position this as a coverage-assessment prompt for managed detection, incident response readiness, cloud/SaaS governance, identity review, and compliance evidence around external data movement.
The official object supplies no description, detection text, platforms, tactics, aliases, or labels. Platform and tactic context is inherited only from the related technique provided in the relationship context. Local environment evidence is required to determine whether webhook use is legitimate, risky, or detectable.
Detection Strategy for Exfiltration Over Webhook
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567.004 | Exfiltration Over Webhook Sub-technique | This object detects Exfiltration Over Webhook. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cf994913552b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0153Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.