Leaked Azure Storage connection string — full blob access

An Azure Storage connection string contains the storage-account key. Leaking one grants read + write on every container in that storage account.

The next 60 seconds matter

The attacker loads the connection string into Azure Storage Explorer or azcopy. They enumerate containers, exfiltrate blobs, and potentially poison containers with malicious files.

  • Enumerate all containers and blobs
  • Exfiltrate PII / documents / customer uploads
  • Poison containers with malware for any downstream consumer
  • Delete blobs to hide activity

Rotation playbook

  1. Azure Portal → Storage Account → Access keys → Rotate key1 (or key2)
  2. Update every application environment with the new connection string
  3. Review Storage analytics logs in the past 48 hours for unusual access

Prevent the next one

  • Prefer Managed Identity or SAS tokens over account keys
  • Rotate keys automatically via Azure Key Vault integration
  • Enable Storage firewall to restrict IP ranges that can connect
Pattern we scan for
DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...==