{"id":131499,"date":"2023-09-07T10:00:00","date_gmt":"2023-09-07T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=131499"},"modified":"2023-09-07T06:04:42","modified_gmt":"2023-09-07T13:04:42","slug":"cloud-storage-security-whats-new-in-the-threat-matrix","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/","title":{"rendered":"Cloud storage security: What&#8217;s new in the threat matrix"},"content":{"rendered":"\n<p>Today, we announce the release of a second version of the threat matrix for storage services, a structured tool that assists in identifying and analyzing potential security threats on data stored in cloud storage services. The matrix, first released in April 2021 as detailed in the blog post <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/04\/08\/threat-matrix-for-storage\/\">Threat matrix for storage services<\/a>, lays out a rich set of attack techniques mapped to a well-known set of tactics described by MITRE\u2019s ATT&amp;CK\u00ae framework and comprehensive knowledge base, allowing defenders to more efficiently and effectively adapt and respond to new techniques.<\/p>\n\n\n\n<p>Cybercriminals target cloud storage accounts and services for numerous purposes, such as accessing and exfiltrating sensitive data, gaining network footholds for lateral movement, enabling access to additional resources, and deploying malware or engaging in extortion schemes. To combat such threats, the updated threat matrix provides better coverage of the attack surface by detailing several new initial access techniques. The matrix further provides visibility into the threat landscape by detailing several novel attacks unique to cloud environments, including some not yet observed in real attacks. The new version of the matrix is available at: <a href=\"https:\/\/aka.ms\/StorageServicesThreatMatrix\">https:\/\/aka.ms\/StorageServicesThreatMatrix<\/a><\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1-1024x547.webp\" alt=\"Threat matrix with updated techniques included in reconnaissance, initial access, persistence, defense evasion, credential access, discovery, lateral movement, and exfiltration stages. \" class=\"wp-image-131502 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1-1024x547.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1-300x160.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1-768x410.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1-1536x820.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1-2048x1093.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1-1024x547.webp\"><figcaption class=\"wp-element-caption\">Figure 1. Threat matrix for storage services<\/figcaption><\/figure>\n\n\n\n<p>&nbsp;Of the new techniques detailed in this blog, several noteworthy examples include:<\/p>\n\n\n\n<ul>\n<li><strong>Object replication<\/strong> \u2013 Allows attackers to maliciously misuse the object replication feature in both directions by either using outbound replication to exfiltrate data from a target storage account or using inbound replication to deliver malware to the target account.<\/li>\n\n\n\n<li><strong>Operations across geo replicas<\/strong> \u2013 Helps attackers evade defenses by distributing operations across geographical copies of storage accounts. Security solutions may only have visibility into parts of the attack and may not detect enough activity in a single region to trigger an alert.<\/li>\n\n\n\n<li><strong>Static website<\/strong> \u2013 Allows attackers to exfiltrate data using the &#8220;static website&#8221; feature, a feature provided by major storage cloud providers that can often be overlooked by less experienced users.<\/li>\n<\/ul>\n\n\n\n<p>In this blog post, we\u2019ll introduce new attack techniques that have emerged since our last analysis and cover the various stages of a potential attack on cloud storage accounts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">New techniques in the matrix<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Reconnaissance<\/h3>\n\n\n\n<p>Reconnaissance consists of techniques that involve attackers actively or passively gathering information that can be used to support targeting.<\/p>\n\n\n\n<p><strong>DNS\/Passive DNS <\/strong>\u2013 Attackers may search for DNS data for valid storage account names that can become potential targets. Threat actors can query nameservers using brute-force techniques to enumerate existing storage accounts in the wild, or search through centralized repositories of logged DNS query responses (known as passive DNS).<strong><\/strong><\/p>\n\n\n\n<p><strong>Victim-owned websites <\/strong>\u2013 Attackers may look for storage accounts of a victim enterprise by searching its websites. Victim-owned website pages may be stored on a storage account or contain links to retrieve data stored in a storage account. The links contain the URL of the storage and provide an entry point into the account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Initial access<\/h3>\n\n\n\n<p>Initial access consists of techniques that use various entry vectors to gain their initial foothold on a storage account. Once achieved, initial access may allow for continued access, data exfiltration, or lateral movement through a malicious payload that is distributed to other resources.<\/p>\n\n\n\n<p><strong>SFTP credentials <\/strong>\u2013 Attackers may obtain and abuse credentials of an SFTP (Secure File Transfer Protocol) account as a means of gaining initial access. SFTP is a prevalent file transfer protocol between a client and a remote service. Once the user connects to the cloud storage service, the user can upload and download blobs and perform other operations that are supported by the protocol. SFTP connections require SFTP accounts, which are managed locally in the storage service instance, including credentials in the form of passwords or key-pairs.<\/p>\n\n\n\n<p><strong>NFS access <\/strong>\u2013 Attackers may perform initial access to a storage account using the NFS protocol where enabled. While access is restricted to a list of allowed virtual networks that are configured on the storage account firewall, connection via NFS protocol does not require authentication and can be performed by any source on the specified networks.<\/p>\n\n\n\n<p><strong>SMB access <\/strong>\u2013 Attackers may perform initial access to a storage account file shares using the Server Message Block (SMB) protocol.<\/p>\n\n\n\n<p><strong>Object replication <\/strong>\u2013 Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. This feature can be maliciously misused in both directions. Outbound replication can serve as an exfiltration channel of customer data from the victim\u2019s container to the adversary&#8217;s container. Inbound replication can be used to deliver malware from an adversary&#8217;s container to a victim\u2019s container. After the policy is set, the attacker can operate on their container without accessing the victim container.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Persistence<\/h3>\n\n\n\n<p>Persistence consists of techniques that attackers use to keep access to the storage account due to changed credentials and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems.<\/p>\n\n\n\n<p><strong>Create SAS Token <\/strong>\u2013 Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period. The tokens are not monitored by storage accounts, thus they cannot be revoked (except Service SAS) and it&#8217;s not easy to determine whether there are valid tokens in the wild until they are used.<\/p>\n\n\n\n<p><strong>Container access level property <\/strong>\u2013 Attackers may adjust the container access level property at the granularity of a blob or container to permit anonymous read access to data in the storage account. This configuration secures a channel to exfiltrate data even if the initial access technique is no longer valid.<\/p>\n\n\n\n<p><strong>SFTP account <\/strong>\u2013 Attackers may create an SFTP account to maintain access to a target storage account. The SFTP account is local on the storage instance and is not subject to Azure RBAC permissions. The account is also unaffected in case of storage account access keys rotation.<\/p>\n\n\n\n<p><strong>Trusted Azure services <\/strong>\u2013 Attackers may configure the storage account firewall to allow access by trusted Azure services. Azure Storage provides a predefined list of trusted services. Any resource from that list that belongs to the same subscription as the storage account is allowed by the firewall even if there is no firewall rule that explicitly permits the source address of the resource.<\/p>\n\n\n\n<p><strong>Trusted access based on a managed identity <\/strong>\u2013 Attackers may configure the storage account firewall to allow access by specific resource instances based on their system-assigned managed identity, regardless of their source address. The resource type can be chosen from a predefined list provided by Azure Storage, and the resource instance must be in the same tenant as the storage account. The RBAC permissions of the resource instance determine the types of operations that a resource instance can perform on storage account data.<\/p>\n\n\n\n<p><strong>Private endpoint <\/strong>\u2013 Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network&#8217;s address range. All the requests sent to the private endpoint bypass the storage account firewall by design.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Defense evasion<\/h3>\n\n\n\n<p>The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their malicious activity.<\/p>\n\n\n\n<p><strong>Disable audit logs <\/strong>\u2013 Attackers may disable storage account audit logs to prevent event tracking and avoid detection. Audit logs provide a detailed record of operations performed on a target storage account and may be used to detect malicious activities. Thus, disabling these logs can leave a resource vulnerable to attacks without being detected.<\/p>\n\n\n\n<p><strong>Disable cloud workload protection <\/strong>\u2013 Attackers may disable the cloud workload protection service which raises security alerts upon detection of malicious activities in cloud storage services.<\/p>\n\n\n\n<p><strong>Private endpoint <\/strong>\u2013 Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network&#8217;s address range. All the requests sent to the private endpoint bypass the storage account firewall by design.<\/p>\n\n\n\n<p><strong>Operations across geo replicas <\/strong>\u2013 Attackers may split their requests across geo replicas to reduce the footprint in each region and avoid being detected by various rules and heuristics.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Credential access<\/h3>\n\n\n\n<p>Credential access consists of techniques for stealing credentials like account names and passwords. Using legitimate credentials can give adversaries access to other resources, make them harder to detect, and provide the opportunity to help achieve their goals.<\/p>\n\n\n\n<p><strong>Unsecured communication channel <\/strong>\u2013 Attackers may sniff network traffic and capture credentials sent over an insecure protocol. When a storage account is configured to support unencrypted protocol such as HTTP, credentials are passed over the wire unprotected and are susceptible to leakage. The attacker can use the compromised credentials to gain initial access to the storage account.<strong><\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. Discovery<\/h3>\n\n\n\n<p>Discovery consists of techniques attackers may use to gain knowledge about the service. These techniques help attackers observe the environment and orient themselves before deciding how to act.<\/p>\n\n\n\n<p><strong>Account configuration discovery <\/strong>\u2013 Attackers may leverage control plane access permission to retrieve the storage account configuration. The configuration contains various technical details that may assist the attacker in implementing a variety of tactics. For example, firewall configuration provides network access information. Other parameters may reveal whether access operations are logged. The configuration may also contain the backup policy that may assist the attacker in performing data destruction.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7. Exfiltration<\/h3>\n\n\n\n<p>Exfiltration consists of techniques that attackers may use to extract data from storage accounts. These may include transferring data to another cloud storage outside of the victim account and may also include putting size limits on the transmission.&nbsp;<\/p>\n\n\n\n<p><strong>Static website <\/strong>\u2013 Attackers may use the &#8220;static website&#8221; feature to exfiltrate collected data outside of the storage account. Static website is a cloud storage provider hosting capability that enables serving static web content directly from the storage account. The website can be reached via an alternative web endpoint which might be overlooked when restricting access to the storage account.&nbsp; <strong><\/strong><\/p>\n\n\n\n<p><strong>Object replication <\/strong>\u2013 Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. Outbound replication can serve as an exfiltration channel of customer data from a victim\u2019s container to an adversary\u2019s container.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>As the amount of data stored in the cloud continues to grow, so does the need for robust security measures to protect it. Microsoft Defender for Cloud can help detect and mitigate threats on your storage accounts. Defender for Storage is powered by Microsoft Threat Intelligence and behavior modeling to\u00a0detect anomalous activities such as sensitive data exfiltration, suspicious access, and malware uploads. With agentless at-scale enablement, security teams are empowered to remediate threats with contextual security alerts, remediation recommendations, and configurable automations. <a href=\"https:\/\/www.microsoft.com\/security\/business\/cloud-security\/microsoft-defender-cloud\">Learn more<\/a> about Microsoft Defender for Cloud support for storage security.<\/p>\n\n\n\n<p><strong>Evgeny Bogokovsky<\/strong><\/p>\n\n\n\n<p><em>Microsoft Threat Intelligence<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">References<\/h2>\n\n\n\n<ul>\n<li><a href=\"https:\/\/attack.mitre.org\/\">https:\/\/attack.mitre.org\/<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Further reading<\/h2>\n\n\n\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n\n\n\n<p>To get notified about new publications and to join discussions on social media, follow us on Twitter at&nbsp;<a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/twitter.com\/MsftSecIntel<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019re announcing the release of a second version of our threat matrix for storage services, a structured tool that assists in identifying and analyzing potential security threats on data stored in cloud storage services.<\/p>\n","protected":false},"author":153,"featured_media":131506,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3667,3687],"products":[3690,3691],"threat-intelligence":[3729],"tags":[],"coauthors":[3380],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cloud storage security: What&#039;s new in the threat matrix | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cloud storage security: What&#039;s new in the threat matrix | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"We\u2019re announcing the release of a second version of our threat matrix for storage services, a structured tool that assists in identifying and analyzing potential security threats on data stored in cloud storage services.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-07T17:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-07T13:04:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"4156\" \/>\n\t<meta property=\"og:image:height\" content=\"2219\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"Cloud storage security: What&#8217;s new in the threat matrix\",\"datePublished\":\"2023-09-07T17:00:00+00:00\",\"dateModified\":\"2023-09-07T13:04:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/\"},\"wordCount\":1840,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Featured-image.webp\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/\",\"name\":\"Cloud storage security: What's new in the threat matrix | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Featured-image.webp\",\"datePublished\":\"2023-09-07T17:00:00+00:00\",\"dateModified\":\"2023-09-07T13:04:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Featured-image.webp\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Featured-image.webp\",\"width\":1200,\"height\":800,\"caption\":\"IT Pros collaborating in modern office\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cloud storage security: What&#8217;s new in the threat matrix\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cloud storage security: What's new in the threat matrix | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/","og_locale":"en_US","og_type":"article","og_title":"Cloud storage security: What's new in the threat matrix | Microsoft Security Blog","og_description":"We\u2019re announcing the release of a second version of our threat matrix for storage services, a structured tool that assists in identifying and analyzing potential security threats on data stored in cloud storage services.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/","og_site_name":"Microsoft Security Blog","article_published_time":"2023-09-07T17:00:00+00:00","article_modified_time":"2023-09-07T13:04:42+00:00","og_image":[{"width":4156,"height":2219,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1.png","type":"image\/png"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Threat-matrix-diagram-1.png","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"Cloud storage security: What&#8217;s new in the threat matrix","datePublished":"2023-09-07T17:00:00+00:00","dateModified":"2023-09-07T13:04:42+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/"},"wordCount":1840,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Featured-image.webp","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/","name":"Cloud storage security: What's new in the threat matrix | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Featured-image.webp","datePublished":"2023-09-07T17:00:00+00:00","dateModified":"2023-09-07T13:04:42+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Featured-image.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Featured-image.webp","width":1200,"height":800,"caption":"IT Pros collaborating in modern office"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/07\/cloud-storage-security-whats-new-in-the-threat-matrix\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Cloud storage security: What&#8217;s new in the threat matrix"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/131499"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/153"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=131499"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/131499\/revisions"}],"predecessor-version":[{"id":131505,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/131499\/revisions\/131505"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/131506"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=131499"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=131499"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=131499"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=131499"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=131499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=131499"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=131499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}