Cloud Storage Exfiltration: How Ransomware Groups Turn SharePoint, OneDrive, and Google Drive Into Data Theft Tools

Your files are already gone. You just don’t know it yet. That’s the nature of cloud storage exfiltration – attackers move your most sensitive data out of your environment through SharePoint, OneDrive, and Google Drive before the ransom note ever appears. No exotic malware. No suspicious domains. Just your own approved tools, your own valid credentials, and traffic that looks exactly like your employees starting their morning. By the time encryption kicks in, a copy of your data is sitting on an attacker-controlled account. That’s the leverage they’re counting on.

1. The Living-Off-the-Land Shift Ransomware Groups Made Quietly
2. How Cloud Storage Exfiltration Actually Works
3. Who Is Most at Risk: Why SMBs Are the Primary Target
4. Real-World Examples Documented by CISA and FBI
5. Why Traditional Defenses Fail Against Legitimate-Tool Abuse
6. Defense Posture: What Actually Stops This Attack Class
7. What to Ask Your IT Firm Right Now

The Living-Off-the-Land Shift Ransomware Groups Made Quietly

The security industry spent years training defenses to catch unknown malware – files with no reputation, code that behaves suspiciously, executables that arrive via email. Threat actors noticed. Beginning around 2020, the most capable ransomware groups stopped relying on custom malware for the data-theft phase and shifted to what researchers call “living off the land” – using tools and services that already exist inside your environment.

CISA and the FBI have documented this shift in detail. The #StopRansomware Guide published by CISA, updated in 2023, specifically calls out adversaries using legitimate remote management and cloud sync tools to stage and exfiltrate data before deploying ransomware. The objective is maximum dwell time with zero alerts.

Using consumer and enterprise cloud storage platforms as exfiltration infrastructure is a meaningful evolution of this approach. Attackers aren’t just borrowing your operating system’s built-in utilities anymore – they’re borrowing your software subscriptions. Cloud storage exfiltration is the logical next step in that trend, and it’s one that most SMB defenses are entirely unprepared to address.

How Cloud Storage Exfiltration Actually Works

Understanding the mechanics matters because it explains why detection is so hard. The attack unfolds in phases, and the cloud storage piece happens in the middle – after initial access, before encryption.

Phase 1 – Initial Access. The attacker gains a foothold through a phishing email, a compromised credential purchased on a dark web marketplace, or an unpatched internet-facing service. Once inside, they establish persistence quietly – often through a legitimate remote management tool your IT team may not even know is installed.

Phase 2 – Reconnaissance and Staging. The attacker moves laterally, identifying the most valuable data: finance folders, HR files, client records, intellectual property. They are not in a hurry. FBI reporting from the 2023 IC3 Annual Report noted median dwell times for sophisticated ransomware actors ranging from days to weeks before encryption begins.

Phase 3 – Cloud Storage Exfiltration. Instead of connecting to a suspicious command-and-control server – which a firewall or endpoint detection tool might flag – the attacker syncs the staged files to a cloud storage account they control. They may do this by:

• Installing the OneDrive or Google Drive desktop sync client on a compromised machine and authenticating it to an attacker-owned tenant
• Using SharePoint’s built-in “Sync” or “Send to” features to copy libraries to an external account
• Abusing OAuth tokens or app permissions already granted by the victim’s Microsoft 365 or Google Workspace tenant to pull data via API calls that look like normal application traffic
• Using PowerShell or command-line interfaces for OneDrive and SharePoint – legitimate administrative tools – to bulk-upload files in the background

All of that traffic flows over HTTPS to Microsoft or Google infrastructure. It’s encrypted. It passes through your firewall on port 443 alongside every other legitimate cloud request your employees generate. There is no malicious payload to scan. There is no suspicious domain to block.

Phase 4 – Encryption and Extortion. Once the data is safely in attacker hands, ransomware encrypts local and network-attached files. The attacker now holds two forms of leverage: your encrypted files and a copy of your data they can publish or sell if you don’t pay.

Who Is Most at Risk: Why SMBs Are the Primary Target

Large enterprises have dedicated security operations teams watching for anomalous data movement, identity behavior analysis, and cloud access security tools that flag unusual sync activity. Most small and mid-sized businesses have none of that – endpoint protection, a firewall, maybe a spam filter. Those tools are tuned to catch unknown threats, not the authorized movement of files through authorized applications.

The FBI’s IC3 2023 Annual Report recorded over 2,825 ransomware complaints from businesses, with losses exceeding $59.6 million in reported figures – a number widely understood to undercount actual losses because many incidents go unreported. The report consistently notes that small businesses with limited IT staff are disproportionately represented.

SMBs are also more likely to be running misconfigured Microsoft 365 or Google Workspace environments. Default settings in both platforms allow external sharing, OAuth app authorization without admin approval, and broad sync permissions. An attacker who compromises one employee account in a loosely governed Microsoft 365 tenant may reach far more data than anyone intended to expose.

There’s also a conditioning problem. Business owners and executives expect SharePoint and OneDrive notifications to be routine. A sync activity alert – if it surfaces at all – reads as normal. That expectation is exactly what attackers using cloud storage exfiltration are counting on.

Real-World Examples Documented by CISA and FBI

CISA has released multiple advisories illustrating how real threat groups have incorporated cloud platforms into their operations. A few documented patterns are worth examining.

CISA Advisory AA23-061A (Ransomware Attacks on Critical Infrastructure). This advisory, covering multiple ransomware variants, explicitly documented adversaries using cloud storage services to stage exfiltrated data before encryption. Defenders focused on endpoint-based indicators of compromise missed the cloud storage exfiltration phase entirely – because it produced no traditional malware signatures.

Microsoft Threat Intelligence reporting on DEV-0537 (LAPSUS$). Microsoft’s threat intelligence team documented this group’s heavy reliance on SharePoint and other legitimate Microsoft services to move data. The group targeted organizations where employees held broad SharePoint access, using compromised credentials to download entire document libraries. The techniques require no special capability that a criminal affiliate targeting SMBs couldn’t replicate.

Documented use of “rclone” against SMB targets. CISA and multiple private threat intelligence firms have documented ransomware affiliates using rclone – a legitimate, open-source command-line tool that can sync files to any cloud storage provider – on compromised SMB networks. Because rclone is a tool IT administrators use legitimately, many endpoint protection products don’t block or alert on its execution. Affiliates of major ransomware groups including BlackCat (ALPHV) and LockBit have been documented using this technique.

The pattern across all these cases is consistent: the data left before anyone knew an attacker was present, and it left through infrastructure that looked entirely normal.

Why Traditional Defenses Fail Against Legitimate-Tool Abuse

This is the core problem cloud storage exfiltration exploits. The security model most SMBs are running was built for a different threat era – and it shows.

Traditional endpoint protection looks for malicious code. Cloud storage exfiltration involves none. The attacker runs a sync client or a signed Microsoft binary against your data. Everything is signed. Everything is trusted. The antivirus product has nothing to flag.

Traditional firewall rules block suspicious destinations. The destinations here are onedrive.live.com, sharepoint.com, and drive.google.com – addresses your IT policy probably requires to be open. Blocking them would break your own business operations.

Traditional data loss prevention tools – when SMBs have them at all – typically watch for keywords or file type patterns leaving the network via email or unrecognized upload destinations. They are not built to monitor for abnormal volume or velocity of uploads to a known-good cloud storage domain.

Identity-based alerts can work, but only if the environment is configured to generate them and someone is actively watching. Most SMBs lack the logging configuration, log retention, and alert tuning required to surface “user synced 40,000 files to an external OneDrive tenant at 2 a.m.”

Defenses tuned to catch unknown malware are largely blind to data theft conducted through approved business applications. This isn’t a vendor failure – it’s a design mismatch between the threat and the tool. Cloud storage exfiltration sits squarely in that blind spot, and attackers know it.

Defense Posture: What Actually Stops This Attack Class

Effective defense against cloud storage exfiltration means layering controls at the identity, configuration, and behavior levels – not just at the endpoint. None of these are exotic. All are achievable for SMBs with the right IT firm.

Harden your Microsoft 365 or Google Workspace configuration. Most SMB tenants ship with default settings that are far too permissive. Specific controls that reduce cloud storage exfiltration risk include:

• Restricting external sharing in SharePoint and OneDrive to approved domains only, and blocking sharing to personal Microsoft accounts entirely
• Enabling Conditional Access policies that prevent authentication from unmanaged or non-compliant devices
• Requiring admin approval before OAuth applications can be granted access to tenant data
• Disabling or restricting the ability to sync SharePoint libraries to personal machines not enrolled in device management

Enable and monitor cloud audit logs. Microsoft 365’s Unified Audit Log and Google Workspace’s Admin Audit Log capture file access, sharing events, and sync activity in detail. These logs must be turned on, retained long enough to support an investigation, and reviewed – either by a human analyst or an automated alerting system. The logs are the difference between catching an intrusion in progress and receiving a ransom note.

Implement identity threat detection. Abnormal sign-in locations, impossible travel events (a user authenticating from New Jersey and then from Eastern Europe four minutes later), and unusual file access velocity are all detectable signals. Modern identity platforms generate these alerts natively; someone needs to be watching for them.

Apply the principle of least privilege aggressively. Most SMB environments grant employees far broader access to SharePoint document libraries than their jobs require. An attacker who compromises a single account in a least-privilege environment can only exfiltrate what that account can reach. Auditing and reducing permissions regularly is one of the highest-return security controls available.

Maintain verified, immutable backups. If exfiltration has already occurred and ransomware has encrypted your files, recovery without paying depends entirely on whether your backup is clean, complete, and isolated from the primary environment. Backups stored in the same OneDrive or SharePoint tenant that was compromised are not adequate. Air-gapped or immutable backup copies stored outside the production environment are the baseline every SMB should meet.

Invest in detection, not just prevention. The CISA ransomware resources page and NIST guidance on this point are consistent: assume breach. Organizations that operate on that assumption invest in detection and response capability, not just blocking technology. Knowing within minutes that unusual bulk file access is occurring is the difference between catching an attacker mid-exfiltration and receiving a demand after the fact.

For more on how a well-structured security program approaches these controls, see Xact IT’s cybersecurity services overview.

What to Ask Your IT Firm Right Now

These questions will tell you quickly whether your current environment is exposed. A competent IT firm should be able to answer every one of them without hesitation – no follow-up email, no “we’ll look into that.”

• Is our Microsoft 365 or Google Workspace external sharing policy locked down, or can any employee share files with any personal account?
• Is our Unified Audit Log turned on, and how long are we retaining it? Who is reviewing it?
• Do we have Conditional Access policies that block authentication from unmanaged devices?
• Are OAuth application permissions reviewed and approved before third-party apps connect to our tenant?
• Do we have an alert configured for bulk file downloads or unusual sync events at off-hours?
• Where are our backups stored, and are they isolated from the primary Microsoft 365 or Google Workspace environment?
• When did we last review who has access to which SharePoint libraries?

If the answers are vague, incomplete, or deferred, the exposure is real. These are not advanced enterprise controls. They are the baseline for any SMB running a cloud-based productivity environment in 2024 and 2025.

Cloud storage exfiltration works because it exploits trust – your trust in the tools your business depends on every day. Ransomware groups didn’t get smarter about breaking your defenses. They got smarter about using your own infrastructure against you. Defending against this means moving beyond “did unknown malware get in?” and toward the harder, more important question: what is leaving our environment, through which applications, and should it be?

If you want a clear-eyed answer to that question for your own environment, Book a Free Cybersecurity Strategy Call. No pressure, no obligation – just a 20-minute conversation with our team about where you actually stand.