Ransomware Operators Exploit Microsoft’s AzCopy for Stealthy Data Theft Ransomware groups are increasingly weaponizing legitimate IT tools to evade detection, with Microsoft’s AzCopy a command-line utility for Azure data transfers now a favored method for exfiltrating sensitive files before encryption. This tactic allows attackers to blend malicious activity with routine cloud operations, making detection difficult for security teams. How the Attack Works AzCopy, designed for enterprise data migration, operates as a standalone executable over HTTPS, bypassing traditional Endpoint Detection and Response (EDR) alerts due to its trusted status. Threat actors generate Shared Access Signature (SAS) tokens temporary, credential-free URLs to route stolen data to attacker-controlled Azure Blob Storage accounts. These tokens, active for as little as three days and eight hours, limit exposure while enabling large-scale transfers. Attackers further refine their approach by: - Using `--include-after` to target only recently modified files. - Throttling upload speeds with `--cap-mbps` to avoid triggering network anomaly alerts. - Deleting AzCopy’s hidden log directory (`.azcopy`) post-exfiltration to erase forensic evidence. Impact and Detection Challenges The shift to Azure-based exfiltration complicates defense efforts. Since data flows through Microsoft’s infrastructure, it mimics legitimate business traffic, delaying detection until stolen files appear on ransomware leak sites. Varonis Threat Labs identified multiple incidents where AzCopy went undetected by EDR platforms, underscoring the tactic’s effectiveness. Organizations are advised to monitor outbound connections to `*.blob.core.windows.net` from non-Azure systems and leverage User and Entity Behavior Analytics (UEBA) to flag unusual file access patterns. However, the attack’s stealthy nature highlights the growing sophistication of ransomware operations leveraging trusted tools.