MITRE ATT&CK Technique
Description
Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021) Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-08-30T18:07:27.741Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may access data from cloud storage.\n'
'\n'
'Many IaaS providers offer solutions for online data object '
'storage such as Amazon S3, Azure Storage, and Google Cloud '
'Storage. Similarly, SaaS enterprise platforms such as Office '
'365 and Google Workspace provide cloud-based document storage '
'to users through services such as OneDrive and Google Drive, '
'while SaaS application providers such as Slack, Confluence, '
'Salesforce, and Dropbox may provide cloud storage solutions '
'as a peripheral or primary use case of their platform. \n'
'\n'
'In some cases, as with IaaS-based cloud storage, there exists '
'no overarching application (such as SQL or Elasticsearch) '
'with which to interact with the stored objects: instead, data '
'from these solutions is retrieved directly though the [Cloud '
'API](https://attack.mitre.org/techniques/T1059/009). In SaaS '
'applications, adversaries may be able to collect this data '
'directly from APIs or backend cloud storage objects, rather '
'than through their front-end application or interface (i.e., '
'[Data from Information '
'Repositories](https://attack.mitre.org/techniques/T1213)). \n'
'\n'
'Adversaries may collect sensitive data from these cloud '
'storage solutions. Providers typically offer security guides '
'to help end users configure systems, though misconfigurations '
'are a common problem.(Citation: Amazon S3 Security, '
'2019)(Citation: Microsoft Azure Storage Security, '
'2019)(Citation: Google Cloud Storage Best Practices, 2019) '
'There have been numerous incidents where cloud storage has '
'been improperly secured, typically by unintentionally '
'allowing public access to unauthenticated users, overly-broad '
'access by all users, or even access for any anonymous person '
'outside the control of the Identity Access Management system '
'without even needing basic user permissions.\n'
'\n'
'This open access may expose various types of sensitive data, '
'such as credit cards, personally identifiable information, or '
'medical records.(Citation: Trend Micro S3 Exposed PII, '
'2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: '
'HIPAA Journal S3 Breach, 2017)(Citation: '
'Rclone-mega-extortion_05_2021)\n'
'\n'
'Adversaries may also obtain then abuse leaked credentials '
'from source repositories, logs, or other means as a way to '
'gain access to cloud storage objects.',
'external_references': [{'external_id': 'T1530',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1530'},
{'description': 'Amazon. (2019, May 17). How can I '
'secure the files in my Amazon S3 '
'bucket?. Retrieved October 4, 2019.',
'source_name': 'Amazon S3 Security, 2019',
'url': 'https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/'},
{'description': 'Amlekar, M., Brooks, C., Claman, L., '
'et. al.. (2019, March 20). Azure '
'Storage security guide. Retrieved '
'October 4, 2019.',
'source_name': 'Microsoft Azure Storage Security, '
'2019',
'url': 'https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide'},
{'description': 'Barrett, B.. (2019, July 11). Hack '
'Brief: A Card-Skimming Hacker Group '
'Hit 17K Domains—and Counting. '
'Retrieved October 4, 2019.',
'source_name': 'Wired Magecart S3 Buckets, 2019',
'url': 'https://www.wired.com/story/magecart-amazon-cloud-hacks/'},
{'description': 'Google. (2019, September 16). Best '
'practices for Cloud Storage. '
'Retrieved October 4, 2019.',
'source_name': 'Google Cloud Storage Best Practices, '
'2019',
'url': 'https://cloud.google.com/storage/docs/best-practices'},
{'description': 'HIPAA Journal. (2017, October 11). '
'47GB of Medical Records and Test '
'Results Found in Unsecured Amazon S3 '
'Bucket. Retrieved October 4, 2019.',
'source_name': 'HIPAA Journal S3 Breach, 2017',
'url': 'https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/'},
{'description': 'Justin Schoenfeld, Aaron Didier. '
'(2021, May 4). Transferring leverage '
'in a ransomware attack. Retrieved '
'July 14, 2022.',
'source_name': 'Rclone-mega-extortion_05_2021',
'url': 'https://redcanary.com/blog/rclone-mega-extortion/'},
{'description': 'Trend Micro. (2017, November 6). A '
'Misconfigured Amazon S3 Exposed '
'Almost 50 Thousand PII in Australia. '
'Retrieved October 4, 2019.',
'source_name': 'Trend Micro S3 Exposed PII, 2017',
'url': 'https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia'}],
'id': 'attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'collection'}],
'modified': '2025-10-24T17:48:37.187Z',
'name': 'Data from Cloud Storage',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Netskope',
'Praetorian',
'AppOmni',
'Arun Seelagan, CISA'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS', 'Office Suite', 'SaaS'],
'x_mitre_version': '2.2'}