Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0548: Detection Strategy for Exfiltration Over Web Service

DET0548 is a MITRE detection strategy for recognizing exfiltration through legitimate external web services. The business issue is that this behavior can b...

EnterpriseDET0548Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0548 is a MITRE detection strategy for recognizing exfiltration through legitimate external web services. The business issue is that this behavior can blend into normal approved web traffic, especially where firewall rules and user workflows already permit access to common services. For leaders, the decision value is whether the organization can distinguish routine use of web services from unusual outbound data movement before an incident becomes a data-loss, legal, or continuity problem.

Executive priority

Prioritize this as a data-protection and incident-readiness question: which legitimate web services are allowed, which users and systems should use them, and what evidence would prove whether sensitive data left the environment? Because the ATT&CK relationship maps this strategy to Exfiltration Over Web Service under the exfiltration tactic, executives should ask whether web, network, identity, endpoint, and data-access logging are sufficient to support investigation and compliance evidence after a suspected data loss event.

Technical view

The supplied ATT&CK object has no official detection text and no platforms of its own, but it detects T1567, Exfiltration Over Web Service, which is associated with ESXi, Linux, macOS, and Office Suite in the provided relationship context. SOC and detection teams should validate whether they can observe outbound use of legitimate external web services, correlate that activity with user/system context, and identify unusual volume, destination, timing, or source patterns. IR teams should confirm they can reconstruct what host or account sent data, to which service, and whether the activity aligns with expected business use.

Likely telemetry

  • Web proxy, secure web gateway, or firewall logs showing outbound connections to external web services
  • DNS resolution logs for external service domains
  • TLS/SSL metadata where available, such as destination, certificate, SNI, timing, and volume indicators
  • Endpoint network telemetry from ESXi, Linux, and macOS systems where collected
  • Office Suite audit or activity logs where web-service exfiltration could involve office productivity workflows

Detection direction

  • Baseline approved external web service usage by business unit, role, device type, and workload so alerts are not driven only by the fact that a common service was used.
  • Look for deviations such as unusual upload volume, uncommon source systems, new or rare destinations, abnormal hours, or activity from accounts that do not normally interact with the service.
  • Correlate network events with identity, endpoint, and file-access evidence; destination-only detection is likely weak because legitimate services may already be allowed.
  • Tune for high false-positive potential from normal collaboration, backup, sync, or productivity activity, especially around Office Suite workflows.
  • Validate blind spots created by encrypted SSL/TLS traffic, permissive firewall rules, incomplete proxy coverage, unmanaged devices, and limited logging on non-Windows platforms referenced by the related technique.

Mitigation priorities

  • Define and periodically review which external web services are business-approved and which systems or users should access them.
  • Ensure logging is retained across web gateway/proxy, DNS, identity, endpoint, and relevant Office Suite activity sources so investigations can prove or disprove exfiltration.
  • Apply least-privilege and access governance to accounts and systems that can reach or upload to external services.
  • Use data-handling controls and monitoring for sensitive repositories so outbound web activity can be tied back to potentially exposed data.
  • Create IR playbooks for suspected web-service exfiltration, including account containment, host triage, log preservation, and legal/compliance escalation criteria.
Analyst notes and limits

This take is based on the detection strategy object DET0548 and its relationship to ATT&CK technique T1567, Exfiltration Over Web Service. The most important operational point is that legitimate services can provide cover for exfiltration because they may already be permitted and commonly use encrypted web traffic. Detection quality will depend less on a single signature and more on correlation, baselining, and retention across network, identity, endpoint, and application telemetry.

The official detection strategy description and detection text were not provided, and the detection strategy itself lists no platforms or tactics. Platform and tactic context comes only from the related T1567 technique supplied in the relationship context. Local service allowlists, logging architecture, data classification, and normal business workflows are required to determine practical coverage.

Official MITRE ATT&CK definition

Detection Strategy for Exfiltration Over Web Service

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1567 Exfiltration Over Web Service This object detects Exfiltration Over Web Service.
Relationship explorer

All related ATT&CK context

detects · Technique T1567: Exfiltration Over Web Service Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cb2207333f7b65c8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cb2207333f7b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0548
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use