Threat actors are leveraging Microsoft Graph API reconnaissance techniques to identify and target payroll and HR employees within organizations, ultimately exfiltrating sensitive salary data. By abusing legitimate Graph API permissions and queries, attackers blend reconnaissance activities with normal business operations, making detection extremely challenging. Organizations using Microsoft 365 environments are particularly vulnerable to this attack methodology, which combines social engineering with API abuse to access confidential compensation information.
Introduction
A sophisticated attack campaign has emerged targeting corporate payroll systems through an unexpected vector: Microsoft Graph API reconnaissance. Security researchers have identified threat actors systematically querying Microsoft Graph to map organizational structures, identify high-value HR and payroll personnel, and subsequently compromise their accounts to steal employee salary information.
Unlike traditional phishing or malware-based attacks, this campaign exploits the legitimate functionality of Microsoft’s Graph API—a unified endpoint for accessing Microsoft 365 data. The attackers leverage authorized API calls to enumerate users, discover organizational hierarchies, and pinpoint employees with access to compensation data. This approach allows adversaries to operate within the bounds of “normal” API usage while gathering intelligence for targeted attacks.
The campaign represents a concerning evolution in corporate espionage tactics, where attackers weaponize cloud productivity tools against the organizations that rely on them. As businesses increasingly centralize sensitive data within Microsoft 365 environments, the attack surface expands accordingly.
Background & Context
Microsoft Graph API serves as the gateway to data stored across Microsoft 365, Windows 10, and Enterprise Mobility + Security services. It provides a unified programmability model that applications and users can leverage to access user profiles, organizational data, emails, files, and more.
Many organizations grant broad Graph API permissions to facilitate legitimate business applications—third-party HR tools, directory management solutions, and productivity applications. These permissions often include the ability to read user profiles, access organizational charts, and query group memberships.
Threat actors have recognized that these same permissions create opportunities for reconnaissance. By obtaining even limited access to Graph API—whether through compromised service accounts, malicious OAuth applications, or stolen access tokens—attackers can systematically map an organization’s structure without triggering traditional security alerts.
Recent attacks have specifically targeted payroll and compensation data, which represents high-value information for both corporate espionage and extortion purposes. Employee salary information can be weaponized for competitive intelligence, used in targeted ransomware negotiations, or sold on underground markets.
Technical Breakdown
The attack chain typically follows a multi-stage approach:
Stage 1: Initial Access and Graph API Enumeration
Attackers first establish access to Microsoft Graph, commonly through:
- Compromised user credentials with basic Microsoft 365 access
- Malicious OAuth applications granted overly permissive consent
- Stolen service account tokens with Graph API permissions
Once authenticated, attackers execute reconnaissance queries:
GET https://graph.microsoft.com/v1.0/users
GET https://graph.microsoft.com/v1.0/organization
GET https://graph.microsoft.com/v1.0/users?$filter=department eq 'Human Resources'
GET https://graph.microsoft.com/v1.0/users?$filter=jobTitle eq 'Payroll Administrator'Stage 2: Organizational Mapping
Adversaries leverage the manager relationship property to reconstruct organizational hierarchies:
GET https://graph.microsoft.com/v1.0/users/{id}/manager
GET https://graph.microsoft.com/v1.0/users/{id}/directReportsThis reveals reporting structures and identifies employees in finance, HR, and payroll departments who likely have access to compensation systems.
Stage 3: Targeted Compromise
With high-value targets identified, attackers launch focused campaigns:
- Spear-phishing emails crafted with organization-specific details
- Credential harvesting pages mimicking internal portals
- Business email compromise attempts targeting finance workflows
Stage 4: Payroll System Access
After compromising HR or payroll employee accounts, attackers access salary data through:
- Direct access to payroll applications via SSO
- SharePoint sites containing compensation spreadsheets
- Email searches for salary-related documents
- HR information systems (HRIS) integrated with Microsoft 365
Impact & Risk Assessment
The implications of successful salary data theft extend across multiple dimensions:
Competitive Intelligence Risk
Compensation data reveals organizational priorities, department investments, and talent retention strategies. Competitors acquiring this information gain significant advantages in recruitment and strategic planning.
Employee Privacy Violations
Salary theft represents a serious breach of employee privacy, potentially triggering regulatory obligations under GDPR, CCPA, and other data protection frameworks. Organizations face potential fines ranging from thousands to millions of dollars depending on jurisdiction and scale.
Extortion and Ransomware
Threat actors increasingly leverage stolen salary data for double-extortion ransomware attacks, threatening public disclosure unless ransom demands are met. The sensitivity of compensation information makes organizations particularly likely to pay.
Reputational Damage
Public disclosure of employee salaries can damage workplace morale, trigger compensation disputes, and harm corporate reputation. Organizations may face employee lawsuits and union actions following such breaches.
Secondary Attack Enablement
Understanding compensation levels enables more convincing social engineering attacks. Attackers can reference accurate salary figures when impersonating executives or HR personnel.
Risk severity varies based on:
- Scope of Graph API permissions granted across the environment
- Number of third-party applications with Graph access
- Maturity of monitoring and detection capabilities
- Sensitivity of accessible compensation data
Vendor Response
Microsoft has acknowledged the abuse of Graph API for reconnaissance purposes and provides several security controls to limit exposure:
Conditional Access Policies
Microsoft recommends implementing conditional access policies that restrict Graph API access based on:
- User location and device compliance status
- Application reputation and certification
- Sign-in risk levels
Application Consent Policies
Organizations can configure tenant-wide settings to:
- Require admin approval for Graph API permissions
- Block risky permission grants automatically
- Audit existing application consents regularly
Microsoft Defender for Cloud Apps
This solution provides OAuth app governance features including:
- Anomalous Graph API query detection
- Excessive data access alerts
- Application permission reviews
Microsoft also emphasizes the principle of least privilege, recommending organizations regularly audit and reduce Graph API permissions granted to users and applications.
However, Microsoft has not implemented default restrictions on organizational data queries, as these capabilities serve legitimate business purposes. The responsibility for securing Graph API access remains primarily with tenant administrators.
Mitigations & Workarounds
Organizations should implement multiple defensive layers:
Graph API Permission Hardening
Audit and restrict permissions organization-wide:
# List all service principals with Directory.Read.All permission
Get-MgServicePrincipal -All | Where-Object {
$_.AppRoles.Value -contains "Directory.Read.All"
}Remove unnecessary permissions from applications and service accounts.
Application Governance
- Disable user consent for Graph API applications
- Implement admin approval workflows for new OAuth apps
- Regularly review and revoke risky application permissions
- Maintain an inventory of authorized third-party integrations
Conditional Access Implementation
Create policies requiring:
- Multi-factor authentication for all Graph API access
- Compliant devices for accessing organizational data
- Restricted access from unknown locations
Data Access Controls
- Segment sensitive HR and payroll data from general Microsoft 365 access
- Implement privileged access workstations for HR personnel
- Use sensitivity labels to classify and protect compensation documents
- Restrict SharePoint site permissions containing salary information
Detection & Monitoring
Implement comprehensive monitoring for Graph API abuse:
Azure AD Audit Logs
Monitor for patterns indicating reconnaissance:
Activity: "Consent to application"
Activity: "Add app role assignment to service principal"
Activity: "Update application"Graph API Query Anomalies
Alert on suspicious patterns:
- High-volume user enumeration queries
- Organizational chart mapping activities
- Filter queries targeting HR/Finance departments
- Off-hours Graph API access
- Geographic anomalies in API usage
Microsoft Cloud App Security Policies
Configure anomaly detection policies:
- Unusual number of Graph API calls from single user
- Mass download of organizational data
- OAuth apps accessing multiple user mailboxes
- Service principals with excessive read operations
SIEM Integration
Forward Graph API logs to SIEM platforms for correlation with:
- Failed authentication attempts
- Subsequent mailbox access patterns
- File download activities from HR SharePoint sites
- Changes to user roles and permissions
Establish baseline metrics for normal Graph API usage to identify deviations effectively.
Best Practices
Zero Trust Graph API Access
Apply zero trust principles specifically to Graph API:
- Assume all access requests are potentially malicious
- Verify explicitly with strong authentication
- Grant least privileged access for each scenario
- Continuously validate security posture
Privileged Access Management
Separate HR and payroll system access:
- Use dedicated accounts for sensitive data access
- Implement just-in-time access for payroll operations
- Require approval workflows for accessing compensation data
- Maintain comprehensive audit trails
Security Awareness Training
Educate HR and finance personnel on:
- Phishing techniques targeting payroll employees
- Proper handling of compensation information
- Recognizing social engineering attempts
- Reporting suspicious access requests
Regular Security Reviews
Conduct quarterly assessments:
- Graph API permission audits across all applications
- OAuth consent grants review
- Service account permission validation
- Third-party integration security verification
Incident Response Preparation
Develop specific playbooks for Graph API abuse scenarios:
- Procedures for revoking compromised application access
- Communication templates for salary data breaches
- Legal and regulatory notification requirements
- Employee communication strategies
Key Takeaways
- Microsoft Graph API represents a powerful reconnaissance tool for threat actors targeting organizational data
- Legitimate API functionality can be weaponized to identify and compromise HR and payroll personnel
- Traditional security controls often fail to detect Graph API abuse due to its legitimate appearance
- Compensation data theft carries severe regulatory, reputational, and operational consequences
- Organizations must implement defense-in-depth strategies combining access controls, monitoring, and data segmentation
- Regular audits of Graph API permissions and OAuth applications are essential security hygiene
- HR and payroll employees require enhanced security awareness and protective controls
- Detection requires establishing behavioral baselines for normal Graph API usage patterns
References
- Microsoft Graph API Documentation: https://docs.microsoft.com/en-us/graph/
- Microsoft Graph Permissions Reference: https://docs.microsoft.com/en-us/graph/permissions-reference
- Azure AD Audit Logs: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/
- OAuth App Governance: https://docs.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance
- Conditional Access Best Practices: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
