Threat actors may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for Threat actors to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving Threat actors an added level of protection.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.