New Linux variant of GoGra backdoor uses Microsoft Graph API for stealth C2 - blends in with legitimate Office 365 traffic

Security Affairs covered new research on April 23 documenting a Linux port of the GoGra backdoor, originally seen as Windows-only. The Linux variant retains GoGra's defining feature: it uses Microsoft Graph API as its command-and-control channel, fetching commands from Outlook drafts in an attacker-controlled Microsoft 365 tenant and writing results back to the same drafts. Because the C2 traffic is HTTPS to graph.microsoft.com - the same endpoint legitimate clients hit constantly - it is invisible to most network-layer detections. The Linux port targets enterprise Linux servers with Outbound 443 access to Microsoft cloud services, broadening reach onto build servers and jump hosts.

Check

Audit which Linux servers in your environment have outbound HTTPS access to graph.microsoft.com and restrict it to hosts with a documented Microsoft 365 use case.

Affected

Linux servers with outbound HTTPS access to graph.microsoft.com - in most enterprise networks that means almost all of them, since egress filters routinely allow the entire Microsoft 365 endpoint range by default. Build servers, jump hosts, developer workstations, and DMZ services with Linux are the highest-value targets because they often hold credentials and source code.

Fix

Restrict graph.microsoft.com egress to only hosts that genuinely need it (mail relays, M365 integrations). On all other Linux hosts, log and alert on outbound graph.microsoft.com connections. In your M365 tenant, enable audit logging for application registrations and OAuth grants and alert on tokens used from unfamiliar IPs. Rotate credentials for any Linux server that had unsanctioned graph.microsoft.com traffic.