title: Data from Cloud Storage (T1530)
id: df00tech-t1530
status: experimental
description: "Adversaries access data from cloud storage services including IaaS object stores (Amazon S3, Azure Blob Storage, Google Cloud Storage) and SaaS platform storage (OneDrive, SharePoint, Google Drive, Dropbox). Attack vectors include exploiting misconfigured public bucket access, using compromised credentials or SAS tokens, abusing overly permissive IAM roles, and automated tools such as Rclone, Pacu, and AADInternals for bulk extraction. Threat actors observed using this technique include Fox Kitten, APT42, HAFNIUM, Scattered Spider, and Storm-0501 — the latter specifically modifying Azure Storage account configurations to expose non-remotely accessible accounts for data exfiltration. Misconfigurations enabling anonymous or overly broad access have led to exposure of PII, medical records, and financial data at scale."
references:
  - https://attack.mitre.org/techniques/T1530/
  - https://df00tech.com/detections/T1530
author: df00tech
date: 2026/04/21
tags:
  - attack.t1530
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup and migration tools (ShareGate, AvePoint, Metalogix) performing scheduled bulk downloads of SharePoint or OneDrive content during off-hours maintenance windows"
  - Microsoft Purview eDiscovery operations and DLP scanning agents accessing large volumes of OneDrive files for compliance indexing or legal hold processing
  - Azure Blob containers legitimately configured for anonymous public access as static website hosting origins or CDN source buckets — anonymous access is expected and intended
  - "Infrastructure-as-code pipelines (Terraform, Bicep, ARM templates) performing storage account writes and key listing operations during normal cloud provisioning and rotation workflows"
  - "Developers and DevOps engineers performing bulk blob downloads from development or staging storage accounts using Azure CLI, Azure Storage Explorer, or SDK tooling"
level: high