Azure Disk | Data Exfiltration


In this article, I will show you how a malicious actor can leverage the Azure Managed Disk Import / Export feature to exfiltrate data outside of your organization. By default, in Azure all the Azure Disks are configured with a public endpoint enabled.

Azure Disk | Data Exfiltration

You can generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots for exporting the data to other region for regional expansion, disaster recovery and to read the data for forensic analysis. When the URI is generated, you need to define an expiration time (maximum expiration time 4294967295 seconds). After that, everyone who knows the SAS URI can download the disk without any IP filtering before the expiration time.

To prevent this security issue, I will recommend you to:

  • Enable a Private endpoint (through disk access), or
  • Configure the connection method with : Deny all
Azure Disk | Data Exfiltration

If you want to know which managed disk are configured with the connectivity method « Public endpoint », you can use an Azure Policy in audit mode:

      "policyRule": {
      "if": {
        "allOf": [
            "field": "type",
            "equals": "Microsoft.Compute/disks"
              "field": "Microsoft.Compute/disks/networkAccessPolicy",
              "equals": "AllowAll"
      "then": {
        "effect": "audit"

And if you want to prevent this usage, you can switch the mode of this policy to « Deny ».


This blog is part of Azure Week. Check it out for more great content!

About the Author:

I’m Max, Microsoft MVP Azure and Director Cloud Security Architecture in financial company based in Toronto, Canada.

The goal of this blog is to share with you, my feedbacks, proof-of-concept, and others contributions based on blog posts and videos.


Coquerel, M. (2021). Azure Disk | Data Exfiltration. Available at: [Accessed: 7th July 2021].

Share this on...

Rate this Post: