Skip to content

CopyBlob

Azure

CopyBlob

service: Azure - Azure Blob Storage
techniques:

Event

Copies a blob within or between Azure Storage accounts or containers.

Security Context

  • Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
  • Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.

Log Source

Azure Storage Diagnostic Logs (StorageBlobLogs)

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud (using a SAS URL minted via Microsoft.Compute/snapshots/beginGetAccess — see that event in this batch) issues a server-side CopyBlob from the production flcoccamy001 storage account’s customers container to an attacker-controlled storage account. The destination account is referenced via the x-ms-copy-source header pointing to the production blob, while the request itself targets the attacker’s account. The flattened Log Analytics row records this as a single CopyBlob event on the destination account.

{
"TimeGenerated": "2026-04-15T19:38:42.5172983Z",
"AccountName": "flcdracoexfil666",
"Category": "StorageWrite",
"OperationName": "CopyBlob",
"OperationVersion": "2024-08-04",
"ServiceType": "blob",
"StatusCode": 202,
"StatusText": "Success",
"DurationMs": 84,
"ServerLatencyMs": 78,
"RequestBodySize": 0,
"ResponseBodySize": 0,
"RequestHeaderSize": 1248,
"ResponseHeaderSize": 412,
"Tls": "TLS 1.3",
"AuthenticationType": "OAuth",
"AuthenticationHash": "a1b2c3d4e5f60718293a4b5c6d7e8f90a1b2c3d4e5f60718293a4b5c6d7e8f90",
"RequesterObjectId": "30000000-0000-4000-8000-001010011010",
"RequesterUpn": "draco@fantasticlogs.cloud",
"RequesterTenantId": "10000000-0000-4000-8000-000000000001",
"RequesterAppId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"CallerIpAddress": "203.0.113.66",
"UserAgentHeader": "azsdk-python-storage-blob/12.19.0 Python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35)",
"ClientRequestId": "90000000-0000-4000-8000-000001110000",
"RequestId": "90000000-0000-4000-8000-000001110001",
"Uri": "https://flcdracoexfil666.blob.core.windows.net/loot/customers/2026-q2/luna_lovegood.parquet?api-version=2024-08-04",
"OperationCount": 1,
"ResponseHeaders": {
"x-ms-copy-id": "90000000-0000-4000-8000-000001110010",
"x-ms-copy-status": "pending"
},
"RequestHeaders": {
"x-ms-copy-source": "https://flcoccamy001.blob.core.windows.net/customers/2026-q2/luna_lovegood.parquet?sv=2024-08-04&sr=b&sig=<sas-signature-redacted>&se=2026-04-15T20:38:42Z&sp=r"
},
"_ResourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-draco-staging-666/providers/Microsoft.Storage/storageAccounts/flcdracoexfil666",
"TenantId": "10000000-0000-4000-8000-000000000001"
}

MITRE ATT&CK Mapping

Tactics: Collection Exfiltration

Techniques:
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
  • T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.