Azure Storage account cross-tenant replication enabled
Description
AlphaSOC detected configuration of an Azure Storage account to enable
cross-tenant replication via Microsoft.Storage/storageAccounts/write with the
allowCrossTenantReplication property set to true.
Cross-tenant replication allows data to be replicated to storage accounts in different Azure AD tenants. Adversaries who have compromised Azure credentials may enable this setting to exfiltrate data to attacker-controlled tenants, bypassing traditional network-based data loss prevention controls.
Impact
Enabling cross-tenant replication can facilitate data exfiltration to external Azure tenants controlled by attackers. Sensitive data can be replicated outside the organization's security boundary without triggering network monitoring. This technique allows attackers to maintain persistent access to stolen data even after their initial access is revoked.
Severity
| Severity | Condition |
|---|---|
Low | Cross-tenant replication enabled |
Investigation and Remediation
Review Azure Activity logs for Microsoft.Storage/storageAccounts/write events
where allowCrossTenantReplication was set to true. Identify the principal
that made the change and verify if it was authorized.
If unauthorized, immediately disable cross-tenant replication on the storage account. Review object replication policies to identify if any data was replicated to external tenants. Investigate the compromised identity and rotate its credentials. Implement Azure Policy to prevent enabling cross-tenant replication on storage accounts containing sensitive data.