title: Data Exfiltration via Cloud Storage Services (THREAT-CloudStorage-DataExfil)
id: df00tech-threat-cloudstorage-dataexfil
status: experimental
description: "Exfiltration of corporate data to attacker-controlled cloud storage is a dominant technique in double-extortion ransomware campaigns and espionage operations. Adversaries use legitimate cloud storage services (Mega, Dropbox, OneDrive, Box, Google Drive, rclone, AzCopy, ShareFile) to blend exfiltration traffic with normal business activity, bypassing egress monitoring that blocks unknown C2 IPs. Scattered Spider used Mega for SMB data exfiltration before ransomware deployment in 2024-2025. Akira and Black Basta affiliates use rclone with SFTP/cloud backends. Lazarus Group favors Dropbox and Google Drive. Key indicators: rclone.exe or azcopy.exe execution with external cloud endpoints, large outbound data transfers to cloud storage IPs, WinSCP or FileZilla used for bulk data staging, and PowerShell Invoke-WebRequest with cloud storage URLs. Detection opportunity exists in the staging phase (file collection before transfer) and the transfer phase (network and process telemetry)."
references:
  - https://attack.mitre.org/techniques/THREAT-CloudStorage-DataExfil/
  - https://df00tech.com/detections/THREAT-CloudStorage-DataExfil
author: df00tech
date: 2026/04/24
tags:
  - attack.threat-cloudstorage-dataexfil
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate rclone use by system administrators for cloud backup operations (should be documented and excluded by account name)
  - Corporate AzCopy scripts synchronising data with legitimate company Azure storage accounts
  - Users with business accounts for Dropbox or Box uploading work files (OneDrive and Box are commonly used for business)
  - Large legitimate data transfers to authorised cloud archival storage
level: critical