1. Home
  2. Detection Strategies
  3. Cross-Platform Detection of Data Transfer to Cloud Account

Cross-Platform Detection of Data Transfer to Cloud Account

Technique Detected:  Transfer Data to Cloud Account | T1537

ID: DET0573
Domains: Enterprise
Analytics: AN1580, AN1581, AN1582
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1580

Detects snapshot sharing, backup exports, or data object transfers from victim-owned cloud accounts to other cloud identities within the same provider (e.g., AWS, Azure) using snapshot sharing, S3 bucket policy updates, or SAS URI generation.

Log Sources
Data Component Name Channel
Snapshot Modification (DC0058) AWS:CloudTrail ModifySnapshotAttribute
Cloud Storage Modification (DC0023) AWS:CloudTrail PutBucketPolicy
Snapshot Creation (DC0057) AWS:CloudTrail CreateSnapshot
Snapshot Metadata (DC0062) AWS:CloudTrail CopySnapshot
Network Traffic Content (DC0085) AWS:VPCFlowLogs High volume internal-to-internal IP transfer or cross-account cloud transfer
Mutable Elements
Field Description
CrossAccountIDList List of external cloud accounts authorized for snapshot or bucket sharing
Region Geographic region in which the sharing occurs (may impact logging availability)
VolumeSizeThresholdGB Threshold to alert on snapshot size or object volume
TimeWindow Temporal window between snapshot creation and external sharing

AN1581

Detects user activity that shares or syncs files with external domains via link generation, OneDrive external sharing, or file transfer actions involving non-whitelisted partner tenants.

Log Sources
Data Component Name Channel
Cloud Storage Modification (DC0023) m365:unified SharingSet
Cloud Storage Metadata (DC0027) m365:unified AnonymousLinkCreated
Application Log Content (DC0038) m365:unified FileAccessed
Mutable Elements
Field Description
ExternalDomainList Known partner or adversarial cloud identities/domains
TimeWindow Duration between file access and external sharing
SharingMethod Type of link (anonymous, internal, organization-wide) to alert on

AN1582

Detects use of built-in SaaS sharing mechanisms to transfer ownership or share access of critical data to external tenants or untrusted users through API calls or link generation features.

Log Sources
Data Component Name Channel
Cloud Storage Modification (DC0023) saas:googledrive drive.permission.add
Cloud Storage Metadata (DC0027) saas:box collaboration.invite
Mutable Elements
Field Description
UserContext Whether the user is in a high-privileged or VIP group
DomainReputationList Allowlist or blocklist of external SaaS domains
PayloadVolumeThreshold Size or number of shared files triggering alert