In an advanced cyber-espionage campaign dubbed REF7707, attackers have repurposed Microsoft Outlook’s draft email feature into a covert command-and-control (C2) channel. The FinalDraft malware, uncovered by Elastic Security Labs, was used to infiltrate a South American foreign ministry, leveraging Microsoft 365’s legitimate services to evade detection. This stealthy approach highlights the increasing sophistication of state-sponsored threat actors and their ability to weaponize widely used cloud-based platforms for espionage.
Unlike traditional malware that communicates via external servers or command-and-control infrastructure, FinalDraft blends seamlessly into legitimate Microsoft traffic. By sending commands hidden in unsent email drafts and receiving responses in the same manner, the malware avoids raising security alerts, enabling long-term clandestine access and making forensic detection considerably more challenging.
Silent Infiltration: The Primary Targets
While the primary known victim is a government ministry in an undisclosed country in South America, analysis suggests the campaign extends beyond the region, with indicators linking it to Southeast Asia. The REF7707 campaign appears to focus on high-value institutions, particularly in government, foreign affairs, and telecommunications sectors. The attackers likely seek to gather intelligence on diplomatic negotiations, policy decisions, and sensitive state communications.
This technique is especially dangerous because it allows attackers to operate entirely within Microsoft’s trusted environment, bypassing many traditional security defenses. Unlike phishing-based initial intrusions, which often rely on user mistakes, FinalDraft exploits compromised systems to maintain deep persistence and expand its reach through lateral movement, all while masking its operations within normal business traffic.
The discovery of links between REF7707 and additional targets in Southeast Asia suggests that the attackers are part of a larger coordinated espionage effort with a global focus. The infrastructure analysis indicates previous compromises in telecommunications companies, internet service providers, and even educational institutions used as launch points for malware payload distribution.
How the Attack Works. Silent Execution
The attack sequence follows a structured pattern, utilizing multiple tools to ensure stealth, persistence, and the ability to bypass traditional security defenses:
1. Initial Compromise with PathLoader – The attack begins with a custom malware loader known as PathLoader, a lightweight executable designed to execute shellcode and deploy FinalDraft onto the target machine.
2. Using Microsoft Graph API – FinalDraft establishes a connection to Microsoft’s Graph API, allowing attackers to send and receive commands through Outlook’s draft email system without triggering security alerts.
3. OAuth Token Abuse – The malware retrieves OAuth refresh tokens embedded in its configuration, storing them in the Windows Registry for long-term persistence and continuous access.
4. Command Execution & Exfiltration – Commands from the attacker are disguised as email drafts (prefixed with `r_<session-id>`), while responses from the infected machine are stored as new drafts (`p_<session-id>`), ensuring that no traditional network communication occurs.
5. Lateral Movement & Credential Theft – FinalDraft supports 37 different commands, including:
- Credential Theft: Extracting login details and authentication tokens to escalate privileges.
- Process Injection: Running malicious payloads inside trusted processes like `mspaint.exe` to avoid detection.
- Pass-the-Hash Attacks: Using stolen authentication credentials to move laterally within the organization’s network.
- Network Proxying: Establishing covert network tunnels to communicate with attacker-controlled infrastructure.
- File Manipulation: Copying, deleting, and modifying files stealthily.
- PowerShell Execution: Running scripts without launching `powershell.exe`, allowing stealthy execution of administrative commands.
Security researchers also found a Linux variant of FinalDraft, capable of using Outlook via the REST API and Graph API, alongside alternative C2 methods such as reverse UDP, ICMP, TCP, and DNS tunneling. This cross-platform capability suggests that the attackers aim to infiltrate both Windows and Linux-based environments, expanding their espionage reach beyond traditional government infrastructure.
Closing the Backdoor
Given the stealthy nature of FinalDraft and the increasing use of cloud-based attack vectors, organizations must adopt a multi-layered security approach to mitigate these threats effectively:
- Monitor Outlook Drafts – Organizations should actively track unsent email drafts for anomalies, particularly those with unusual naming conventions or suspicious content.
- Secure OAuth Tokens – Implement ”tight access control policies” for OAuth-based authentication, regularly audit token usage logs, and enforce strict revocation policies for compromised tokens.
- Endpoint Detection & Response (EDR) – Deploy behavioral analytics tools to identify suspicious PowerShell executions, unusual API access patterns, and anomalous registry modifications.
- Restrict PowerShell & API Access – Limit PowerShell execution privileges and restrict API calls to only trusted applications, reducing the risk of unauthorized actions.
- Improve Log Auditing & Forensics – Ensure that system logs are protected against tampering, implement real-time alerting for registry modifications, and retain forensic logs for extended periods to facilitate investigations.
- Strengthen Multi-Factor Authentication (MFA) – Require multi-factor authentication for all sensitive systems, reducing the risk of credential compromise.
- Educate Users & IT Teams – Train employees and security teams to recognize signs of lateral movement, credential misuse, and suspicious activity within cloud environments.
By enhancing detection, access control, and incident response capabilities, organizations can strengthen their security posture and reduce the risk of state-sponsored cyber intrusions like the REF7707 campaign. As cybercriminals continue refining their techniques, cybersecurity teams must stay ahead by adapting to new, covert infiltration tactics and continuously evolving their defensive strategies.
Comments