T1567.004: Exfiltration Over Webhook
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.[1] Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.[2] When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.
Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated Automated Exfiltration of emails, chat messages, and other data.[3] Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.[4]
Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.[5][6][7]
Analyst context for executives and security teams
Exfiltration over webhook matters because it can turn ordinary-looking HTTPS traffic to collaboration, SaaS, or developer services into a data-loss path. For leaders, the issue is not just malware command-and-control; it is whether sanctioned cloud and office workflows can be abused to move emails, chat messages, repository data, credentials, or other sensitive content outside the organization.
Executive priority
Prioritize this technique where the business depends on SaaS, office suites, code repositories, CI/CD, or collaboration platforms. The control question is whether the organization can prove which webhook integrations are approved, what sensitive data they can access, and whether outbound data movement to public webhook services is monitored. The relationship to Data Loss Prevention makes this relevant to compliance evidence and incident decision-making; the campaign relationship involving energy infrastructure also makes it worth considering in cyber-physical environments where SaaS or operational support workflows intersect with critical operations.
Technical view
ATT&CK lists this as an exfiltration sub-technique of Exfiltration Over Web Service across ESXi, Linux, macOS, Office Suite, SaaS, and Windows. Defenders should validate visibility into outbound HTTPS activity, SaaS webhook configuration changes, and data movement from endpoints, servers, office platforms, and repository/CI environments. No official MITRE detection text is provided, but a related detection strategy object, DET0153, is linked. Relationships also connect this behavior to Shai-Hulud, described as stealing credentials and access tokens from compromised repository accounts and exfiltrating them to webhooks, so developer-platform telemetry is especially important where applicable.
Likely telemetry
- Outbound web proxy, firewall, DNS, and TLS metadata for connections to webhook-capable services
- SaaS audit logs showing webhook creation, modification, authorization, and linked applications
- Office suite and collaboration audit logs for app integrations and automated data sharing
- Endpoint and server process/network telemetry showing unusual HTTPS posts or scripted data transfer
- Repository, package, and CI/CD logs for token access, workflow execution, dependency activity, and external callbacks
Detection direction
- Inventory approved webhook destinations and compare against observed outbound traffic and SaaS configuration changes.
- Tune detections for unusual volume, frequency, destination novelty, or sensitive-content movement over HTTPS rather than relying on domain reputation alone.
- Correlate webhook configuration events with suspicious account activity, repository changes, package activity, or endpoint process telemetry.
- Account for false positives from legitimate automation such as GitHub, Jira, Trello, Slack, Discord, and other business workflows.
- Validate blind spots in encrypted traffic inspection, SaaS audit-log retention, personal or unmanaged collaboration tools, and CI/CD environments.
Mitigation priorities
- Start with DLP coverage for network, endpoint, and cloud/SaaS channels handling sensitive data.
- Define and enforce approved webhook use cases, owners, destinations, and review intervals.
- Restrict or monitor unauthorized SaaS integrations and webhook creation where business processes allow.
- Harden identity and access controls for SaaS, office, repository, and CI/CD platforms that can create webhooks or access sensitive data.
- Use incident response playbooks that preserve SaaS audit logs, endpoint telemetry, DLP alerts, and proxy evidence when suspected exfiltration occurs.
Analyst notes and limits
This take is based only on the supplied ATT&CK fields, references, and relationships for T1567.004. The strongest decision value is validating whether legitimate web services and webhooks are governed as data egress channels, not merely allowed as normal SaaS traffic.
The supplied object does not include official detection logic, analytic details, or procedure-level evidence beyond the listed relationships. Local environment baselines, approved SaaS inventory, DLP policy scope, and log availability are required before making coverage or exposure claims.
Exfiltration Over Webhook
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.[1] Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.[2] When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.
Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated Automated Exfiltration of emails, chat messages, and other data.[3] Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.[4]
Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.[5][6][7]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567 | Exfiltration Over Web Service | This object subtechnique of Exfiltration Over Web Service. |
Groups, software, and campaigns
S9008: Shai-Hulud
Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.[1][2][3][4][5][6][7]
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a4608575e2f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
RedHat Webhooks
RedHat. (2022, June 1). What is a webhook?. Retrieved July 20, 2023.
Open source URL -
[2]
Discord Intro to Webhooks
D. (n.d.). Intro to Webhooks. Retrieved July 20, 2023.
Open source URL -
[3]
Push Security SaaS Attacks Repository Webhooks
Push Security. (2023, July 31). Webhooks. Retrieved August 4, 2023.
Open source URL -
[4]
Microsoft SQL Server
Microsoft Threat Intelligence. (2023, October 3). Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement. Retrieved October 3, 2023.
Open source URL -
[5]
CyberArk Labs Discord
CyberArk Labs. (2023, April 13). The (Not so) Secret War on Discord. Retrieved July 20, 2023.
Open source URL -
[6]
Talos Discord Webhook Abuse
Nick Biasini, Edmund Brumaghin, Chris Neal, and Paul Eubanks. (2021, April 7). https://blog.talosintelligence.com/collab-app-abuse/. Retrieved July 20, 2023.
Open source URL -
[7]
Checkmarx Webhooks
Jossef Harush Kadouri. (2022, March 7). Webhook Party — Malicious packages caught exfiltrating data via legit webhook services. Retrieved July 20, 2023.
Open source URL -
[8]
mitre-attack T1567.004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.