From darkreading.com
Nation-state espionage operations are increasingly using native Microsoft services to host their command-and-control (C2) needs.
A number of unrelated groups in recent years have all come to the same realization: Rather than building and maintaining their own infrastructure, it’s more economical and effective to simply use Microsoft’s own services against their targets. Besides the costs and headaches saved from not having to set up and maintain their own infrastructure, using legitimate services allows attackers’ malicious behavior to more subtly mix in with legitimate network traffic.
This is where Microsoft Graph comes in handy. Graph offers an application programming interface (API) that developers use to connect to a wide range of data — email, calendar events, files, etc. — across Microsoft cloud services. Harmless on its own, it provides an easy means for hackers to run C2 infrastructure using those same cloud services.