Skip to content

T1537 Transfer Data to Cloud Account

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.2

Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.5

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.6

Item Value
ID T1537
Sub-techniques
Tactics TA0010
Platforms IaaS, Office Suite, SaaS
Version 1.5
Created 30 August 2019
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G1032 INC Ransom INC Ransom has used Megasync to exfiltrate data to the cloud.12
G1039 RedCurl RedCurl has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltrate data to Mega, a file storage service.1314
G1053 Storm-0501 Storm-0501 has copied data from the victims environment to their own infrastructure leveraging AzCopy CLI.11

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention Data loss prevention can prevent and block sensitive data from being shared with individuals outside an organization.8 7
M1037 Filter Network Traffic Implement network-based filtering restrictions to prohibit data transfers to untrusted VPCs.
M1054 Software Configuration Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.9 10
M1018 User Account Management Limit user account and IAM policies to the least privileges required.

References

  1. Amazon Web Services. (n.d.). Share an Amazon EBS snapshot. Retrieved March 2, 2022. 

  2. Clint Gibler and Scott Piper. (2021, January 4). Lesser Known Techniques for Attacking AWS Environments. Retrieved March 4, 2024. 

  3. Delegate access with a shared access signature. (2019, December 18). Delegate access with a shared access signature. Retrieved March 2, 2022. 

  4. Microsoft Azure. (2021, December 29). Blob snapshots. Retrieved March 2, 2022. 

  5. Microsoft. (2023, June 7). Grant limited access to Azure Storage resources using shared access signatures (SAS). Retrieved March 4, 2024. 

  6. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. 

  7. Google. (n.d.). Use Workspace DLP to prevent data loss. Retrieved March 4, 2024. 

  8. Microsoft. (2024, January 9). Learn about data loss prevention. Retrieved March 4, 2024. 

  9. Google. (n.d.). Manage external sharing for your organization. Retrieved March 4, 2024. 

  10. Microsoft. (2023, October 11). Manage sharing settings for SharePoint and OneDrive in Microsoft 365. Retrieved March 4, 2024. 

  11. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025. 

  12. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024. 

  13. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. 

  14. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.