MITRE ATT&CK / T1102
T1102
Web Service
Description
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
Platforms
Mitigations
- M1031 — Network Intrusion Prevention
- M1021 — Restrict Web-Based Content
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Operation HookedWing: 4-Year Phishing Campaign Hits 500+ Organizations Across Aviation, Energy, and Logistics
- Vercel's v0.dev AI Tool Weaponized for Phishing Campaigns Targeting Microsoft, Nike Users
- PyPI Malware Campaign Abuses Zulip Chat API as Command-and-Control Channel
- Metasploit Adds ARMLE Support to CVE-2026-31431 Copy Fail Linux Root Exploit
- Braintrust AWS Breach Exposes AI Provider API Keys, All Customers Ordered to Rotate Secrets
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →