CopyBlob
Azure
CopyBlob
Event
Copies a blob within or between Azure Storage accounts or containers.
Security Context
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
Azure Storage Diagnostic Logs (StorageBlobLogs)
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud (using a SAS URL minted via Microsoft.Compute/snapshots/beginGetAccess — see that event in this batch) issues a server-side CopyBlob from the production flcoccamy001 storage account’s customers container to an attacker-controlled storage account. The destination account is referenced via the x-ms-copy-source header pointing to the production blob, while the request itself targets the attacker’s account. The flattened Log Analytics row records this as a single CopyBlob event on the destination account.
{ "TimeGenerated": "2026-04-15T19:38:42.5172983Z", "AccountName": "flcdracoexfil666", "Category": "StorageWrite", "OperationName": "CopyBlob", "OperationVersion": "2024-08-04", "ServiceType": "blob", "StatusCode": 202, "StatusText": "Success", "DurationMs": 84, "ServerLatencyMs": 78, "RequestBodySize": 0, "ResponseBodySize": 0, "RequestHeaderSize": 1248, "ResponseHeaderSize": 412, "Tls": "TLS 1.3", "AuthenticationType": "OAuth", "AuthenticationHash": "a1b2c3d4e5f60718293a4b5c6d7e8f90a1b2c3d4e5f60718293a4b5c6d7e8f90", "RequesterObjectId": "30000000-0000-4000-8000-001010011010", "RequesterUpn": "draco@fantasticlogs.cloud", "RequesterTenantId": "10000000-0000-4000-8000-000000000001", "RequesterAppId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "CallerIpAddress": "203.0.113.66", "UserAgentHeader": "azsdk-python-storage-blob/12.19.0 Python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35)", "ClientRequestId": "90000000-0000-4000-8000-000001110000", "RequestId": "90000000-0000-4000-8000-000001110001", "Uri": "https://flcdracoexfil666.blob.core.windows.net/loot/customers/2026-q2/luna_lovegood.parquet?api-version=2024-08-04", "OperationCount": 1, "ResponseHeaders": { "x-ms-copy-id": "90000000-0000-4000-8000-000001110010", "x-ms-copy-status": "pending" }, "RequestHeaders": { "x-ms-copy-source": "https://flcoccamy001.blob.core.windows.net/customers/2026-q2/luna_lovegood.parquet?sv=2024-08-04&sr=b&sig=<sas-signature-redacted>&se=2026-04-15T20:38:42Z&sp=r" }, "_ResourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-draco-staging-666/providers/Microsoft.Storage/storageAccounts/flcdracoexfil666", "TenantId": "10000000-0000-4000-8000-000000000001"}MITRE ATT&CK Mapping
Tactics: Collection Exfiltration
Techniques:
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.