FINALDRAFT Malware: How Hackers Turn Microsoft’s Cloud into a Covert Weapon

Hackers have outdone themselves again—this time, by turning Microsoft’s own cloud services into a free pass for cyber espionage. FINALDRAFT, the latest stealth malware uncovered by Elastic Security Labs, doesn’t bother with sketchy domains or suspicious backdoors.

Instead, it waltzes right through Microsoft Graph API, nestling into Outlook’s ‘Drafts’ folder like an uninvited guest who refuses to leave.

Blending malicious traffic with everyday cloud activity, FINALDRAFT ensures security teams have a harder time spotting it than finding a typo in an auto-corrected email. With high-profile targets and espionage written all over it, this malware is a masterclass in hiding in plain sight.

In this exclusive conversation, Devon Kerr, Elastic Security Labs Lead, unpacks how FINALDRAFT operates, why traditional defenses won’t cut it, and how organizations can finally RSVP ‘no’ to this unwelcome cyber threat.

How does malware use the Microsoft Graph API to make its traffic appear legitimate and evade detection? Please provide exact examples of the API calls used and how they are exploited.

Malware such as FINALDRAFT leverages the Microsoft Graph API to blend malicious traffic with legitimate network activity, evading detection. By utilising the Microsoft Graph API, it communicates over legitimate Microsoft services, making its traffic appear as standard, authorised communication. Specifically, FINALDRAFT exploits the Outlook mail service through the Graph API for command-and-control (C2) operations.

It obtains an API token via the https://login.microsoftonline.com/common/oauth2/token  endpoint, using a refresh token embedded within its configuration. Once authenticated, the malware interacts with Outlook’s mail folders, notably the 'Drafts' folder, to send and receive commands and data. This method allows it to operate stealthily, as traffic to graph.microsoft.com is encrypted and therefore less likely to be scrutinised by security systems.

What are the types of information this malware targets for exfiltration? Is this malware aimed at specific sectors, files or types thereof, or kinds of user actions?

The FINALDRAFT malware is designed to exfiltrate sensitive information, including system data, user credentials, and specific files of interest. It employs 37 distinct commands facilitating actions such as file manipulation, process injection, and network proxying. It can perform Pass-the-Hash attacks to capture authentication credentials, enabling lateral movement within networks.

The malware has been observed targeting high-value entities, such as foreign ministries and telecommunications companies, indicating a focus on sectors with valuable data. Its method of using Outlook's 'Drafts' folder for command-and-control operations allows it to blend seamlessly into regular network traffic, making detection challenging.

What is the confidence level in attributing this malware to Chinese espionage activity, and what evidence is there for this attribution outside of telemetry?

The adversary devoted years to develop the FINALDRAFT malware iteratively and associated delivery systems, and the years committed to maintaining the backend infrastructure. Likewise, this threat operated in some of these environments for years while quietly testing new capabilities and stealing data necessary to maintain long-term access to a very small number of specific victim environments. These behavioural patterns are consistent with espionage-motivated groups, and we assess that with high confidence.

What are the greatest challenges in detecting this malware, considering its utilisation of legitimate Microsoft infrastructure, and what security tools/techniques are most effective?

Detecting FINALDRAFT is challenging as it exploits legitimate Microsoft infrastructure, allowing its malicious activity to appear as normal traffic. It avoids traditional detection methods by leveraging the encrypted Microsoft Graph API and Outlook’s ‘Drafts’ folder for command-and-control. Since traffic to graph.microsoft[.]com is generally not inspected, standard security tools may overlook its activity. This allows attackers to bypass conventional network defenses, maintain persistence, and exfiltrate data without triggering common security alerts.

To counter this, organisations should deploy advanced Endpoint Detection and Response (EDR) solutions to flag unauthorised API activity and process injections. Network traffic analysis can also help identify anomalies, even within trusted services.

Enhanced logging of OAuth token usage and unexpected access to Outlook mail folders provide early indicators of compromise. Combining these measures with behavioral analytics, anomaly detection, and strict access controls strengthens an organisation’s ability to detect and mitigate threats that exploit cloud-based infrastructure for malicious purposes.

What proactive measures can organisations take to protect themselves from this kind of attack, including specific configurations, best practices, or tools?

Organisations can mitigate threats like FINALDRAFT by deploying advanced Endpoint Detection and Response (EDR) solutions which can identify suspicious process injections and other endpoint anomalies. Network traffic analysis can flag anomalies caused by the relay capability of FINALDRAFT, which is meant to limit beaconing. Security audits, enhanced logging, and behavioral analytics from a SIEM solution will further strengthen defenses against malware that exploits cloud-based infrastructure for covert operations.

How does this malware differ from other known malware variants, particularly those linked to Chinese APT groups? What are its distinguishing features or innovations?

FINALDRAFT differentiates itself from other malware linked to Chinese APT groups by relying on the Microsoft Graph API for command-and-control (C2) operations, disguising malicious activity as legitimate cloud service interactions. Unlike traditional backdoors, it uses Outlook’s ‘Drafts’ folder to exfiltrate data and receive commands, minimising detectable network indicators. Its focus on abusing trusted cloud infrastructure, rather than custom C2 frameworks, makes it particularly stealthy.

What is the likely effect of this malware on organisations, and is there any indication that it is being actively used in the wild? If so, how prevalent is the infection?

FINALDRAFT poses significant risks to organisations by secretly exfiltrating sensitive data and facilitating unauthorised access. Its use of legitimate Microsoft services for command-and-control (C2) communications makes detection challenging. Evidence indicates active deployment in targeted espionage campaigns, notably against a South American nation's foreign ministry, with links to several Southeast Asian compromises in the government, telecommunications, and higher education sectors.

How does Elastic assist organisations in detecting and responding to this particular threat and similar threats using cloud services? What particular products or services are applicable?

Elastic Security is powered by Elastic Security Labs, the in-house threat research team that discovered FINALDRAFT and many other malware families. In addition to disclosing the threat, Elastic Security Labs has also published free behavioral detection and YARA rules in the article You’ve Got Malware: FINALDRAFT Hides in your Drafts. These protections have been built directly into Elastic Security, which helps detect threats like FINALDRAFT and many others through behavioral analytics, anomaly detection, and endpoint telemetry.

Analysts can monitor for unauthorised Microsoft Graph API interactions, unusual OAuth token usage, and suspicious mailbox activity while relying on Elastic’s extensive visibility, machine learning capabilities, and AI toolset. By integrating these capabilities, organisations can detect, investigate, and respond to stealthy threats that abuse legitimate cloud infrastructure.