Exfiltration via API

A subject may exfiltrate organizational data through direct interaction with application programming interfaces (APIs), leveraging HTTP/S-based service endpoints to transmit sensitive information outside of the organization’s controlled environment. This method typically involves programmatic data transfer using scripts, command-line tools, or software development kits (SDKs), rather than user-facing web interfaces.

In this infringement method, the subject authenticates to an external or unauthorized internal API using credentials such as API keys, OAuth tokens, or session tokens, and submits data via structured requests (e.g., POST, PUT). These APIs may belong to legitimate third-party services (e.g., cloud platforms, SaaS applications) or attacker-controlled infrastructure designed to receive and store exfiltrated data.

Unlike platform-driven exfiltration (e.g., uploading files via a web interface), API-based exfiltration is typically automated, scalable, and capable of operating without generating browser artifacts. This allows the subject to transfer large volumes of data, segment payloads across multiple requests, or embed exfiltration within otherwise legitimate application traffic.

This technique is particularly effective in environments where API traffic is common and trusted, and where inspection of request payloads, headers, or authentication patterns is limited.