Azure Storage account modified to disable secure REST traffic
Description
AlphaSOC detected a modification to an Azure Storage account that disables the
secure transfer requirement, allowing insecure HTTP traffic. This is identified
through the Microsoft.Storage/storageAccounts/write action where the
supportsHttpsTrafficOnly property is set to false. Azure Storage accounts
support a secure transfer requirement that enforces HTTPS for all REST API
operations, ensuring data in transit is encrypted using TLS/SSL protocols.
Organizations enable this setting to protect sensitive data from interception,
eavesdropping, and man-in-the-middle attacks during transmission between clients
and storage services.
When the secure transfer requirement is enabled, any requests made over unencrypted HTTP connections are automatically rejected, enforcing transport-layer security for all data access operations including blob uploads and downloads, table queries, queue messages, and file share access. However, threat actors who have gained access to an Azure environment may disable this security control to allow unencrypted HTTP connections, enabling them to intercept authentication tokens, access keys, or data payloads transmitted in clear text. By disabling the HTTPS-only requirement, attackers weaken transport security controls and create opportunities for credential theft or data interception on compromised or monitored networks.
Impact
Disabling the secure transfer requirement exposes Azure Storage data to interception during transmission over unencrypted HTTP connections. Attackers positioned on the network path between clients and Azure Storage can conduct man-in-the-middle attacks to capture authentication credentials, shared access signature (SAS) tokens, or storage account access keys transmitted in HTTP headers. The unencrypted traffic also exposes sensitive data payloads, allowing threat actors to read confidential files, customer information, or proprietary data being uploaded to or downloaded from blob containers, file shares, tables, or queues. Organizations face increased risk of credential compromise, as captured access tokens can be replayed to gain unauthorized access to storage resources.
The weakened security posture violates security best practices and compliance requirements that mandate encryption of data in transit, potentially resulting in regulatory violations and audit findings.
Severity
| Severity | Condition |
|---|---|
Low | Azure Storage account modified to disable secure REST traffic |
Investigation and Remediation
Review Azure Activity logs to identify the
Microsoft.Storage/storageAccounts/write event and examine the request body to
verify the supportsHttpsTrafficOnly property was set to false. Identify the
affected storage account and assess what data is stored within it, including the
sensitivity of blobs, files, tables, and queues, to understand the scope of
potential exposure. Verify the principal (user, service principal, or managed
identity) that performed the modification and check the source IP address and
user agent to confirm whether the activity originated from authorized
infrastructure or personnel. Review Azure Storage diagnostic logs and access
logs to identify any HTTP connections made to the storage account during the
period when secure transfer was disabled, looking for unencrypted traffic that
may have exposed sensitive data or credentials.
If the modification was unauthorized, immediately re-enable the secure transfer
requirement by setting supportsHttpsTrafficOnly to true, which will force
all subsequent connections to use HTTPS. Assess whether any authentication
tokens, SAS tokens, or access keys may have been transmitted over unencrypted
connections and rotate all storage account access keys as a precaution. Disable
or rotate credentials for the compromised principal and review Azure RBAC
assignments to remove excessive permissions on storage account resources.
Examine network traffic logs if available to detect potential man-in-the-middle
attacks or credential interception attempts during the window when HTTP traffic
was allowed. Implement Azure Policy to enforce the secure transfer requirement
across all storage accounts and configure alerts for future modifications to
this security setting.
Known False Positives
- Legacy applications or systems that do not support HTTPS connections and require temporary HTTP access during migration or modernization efforts
- Troubleshooting activities where administrators temporarily disable secure transfer to diagnose connectivity issues with older clients
- Testing scenarios in non-production environments where secure transfer requirements are relaxed for development purposes