1.0 Introduction
Cloud storage stands at the core of AI-driven applications, making its security more vital than ever. As generative AI continues to drive innovation, protecting the storage infrastructure becomes central to ensuring both the reliability and safety of AI solutions.
Every industry encounters its own set of storage security challenges. For example, financial services must navigate complex compliance requirements and guard against insider risks. Healthcare organizations deal with the protection of confidential patient information (e.g. electronic medical records), while manufacturing and retail face the complexities of distributed environments and vulnerable supply chains.
At Microsoft, we leverage product telemetry to gain insight into the most frequent storage security alerts and understand how risks manifest differently across various customer sectors.
This article delves into how storage threats are shaped by industry dynamics, drawn on data collected from our customer base to illustrate emerging patterns and risks.
Acknowledgement:
This blog represents the collaborative work of the following Stroage security in MDC v-team members:
- Fernanda Vela and Alex Steele, for initiating the project and preparing the initial draft and directing the way we tell the story
- Eitan Bremler and Lior Tsalovich, for product and customer insights, synthesizing product telemetry and providing review
- Yuri Diogenes, for his supervision, review and cheerleading
We extend our sincere appreciation to each contributor for their dedication and expertise.
1.1 Key findings from product telemetry: Top storage security alerts across industries
Based on telemetry gathered from Microsoft Defender for Cloud, certain alerts consistently emerge as the most prevalent across different sectors. These patterns highlight the types of threats and suspicious activities organizations encounter most frequently, reflecting both industry-specific risks and broader attack trends. In the section that follows, this information is presented in detail, offering a breakdown of the most common alerts observed within each industry and providing valuable insight into how storage environments are being targeted and defended.
1.1.1 How does storage security alert in Defender for Cloud work
To protect storage accounts from threats, Microsoft Defender for Cloud storage security provides a wide range of security alerts designed to detect suspicious, risky, or anomalous activity across Azure Storage services such as Blob Storage, Data Lake Gen2, and Azure Files.
These alerts cover scenarios like unauthorized access attempts, abnormal usage patterns, potential data exfiltration, malware uploads or downloads, sensitive data exposure and changes that may expose storage containers to the public. They leverage threat intelligence and behavioral analytics to identify activity from malicious IPs, unusual geographies, or suspicious applications, ensuring organizations are alerted when their storage environment is potentially at risk.
Each alert is categorized by severity, helping organizations prioritize responses to the most critical threats, such as confirmed malware or credential compromise, while also surfacing medium and low-risk anomalies that may indicate early stages of an attack. Overall, Defender for Storage enables proactive monitoring and rapid detection of threats to cloud storage, reducing the risk of exposure, misuse, or compromise of valuable data assets.
1.1.2 Top alert types for major industries
Financial, healthcare, technology, energy and manufacturing are often cited as the most targeted industries because of the value of their data, regulatory exposure and their role in critical infrastructure.
Our telemetry from Microsoft Defender for Cloud (MDC) shows the top security alerts in storage resources across these five industries:
- Finance industry
- Health care industry
- Manufacturing industry
- Software industry
- Energy industry
1.1.3 Top 9 alerts across industries
Across industries, the most common alert—averaging 1,300 occurrences per month—is “Unusual application accessed a storage account,” indicating unexpected access to a storage account. Below are the top cross-industry alerts based on this analysis.
1.2 Analysis
Application Anomaly Alerts
Ranking: #1 across all industries (Finance, Manufacturing, Software, Energy, Healthcare)
Alert: Access from a suspicious application (Storage.Blob_ApplicationAnomaly)
Why it happens:
Organizations increasingly use automation, third-party integrations, and custom scripts to interact with cloud storage.
Shadow IT and lack of centralized app governance lead to unexpected access patterns.
In sectors like healthcare and finance, sensitive data attracts attackers who may use compromised or malicious apps to probe for weaknesses.
Interpretation:
High prevalence indicates a need for stricter application registration, monitoring, and access controls.
Industries should prioritize visibility into which apps are accessing storage and enforce policies to block unapproved applications.
Geo-Anomaly Alerts
Ranking: #2 or #3 in most industries
Alert: Access from an unusual location (Storage.Blob_GeoAnomaly, Storage.Files_GeoAnomaly)
Why it happens:
Global operations, remote work, and distributed teams are common in energy, manufacturing, and healthcare.
Attackers may use VPNs or compromised credentials to access storage from unusual regions.
Interpretation:
Frequent geo-anomalies suggest gaps in geo-fencing and conditional access policies.
Organizations should review access logs, enforce region-based restrictions, and monitor cross-border data flows.
Malware-Related Alerts
Ranking: Prominent in healthcare, finance, and software sectors
Alert:
Malware found in blob (Storage.Blob_AM.MalwareFound)
Malware download detected (Storage.Blob_MalwareDownload)
Access from IP with suspicious file hash reputation (Storage.Blob_MalwareHashReputation)
Why it happens:
High-value data and frequent file exchanges make these industries attractive targets for ransomware and malware campaigns.
Insufficient scanning capacity or delayed remediation can allow malware to persist.
Interpretation:
Rising malware alerts point to active threat campaigns and the need for real-time scanning and automated remediation.
Industries should scale up Defender capacity, integrate threat intelligence, and enable automatic malware removal.
Open Container Scanning Alerts
Ranking: More frequent in energy and manufacturing
Alerts:
Successful discovery of open storage containers (Storage.Blob_OpenContainersScanning.SuccessfulDiscovery)
Failed attempt to scan open containers (Storage.Blob_OpenContainersScanning.FailedAttempt)
Why it happens:
Rapid cloud adoption and operational urgency can lead to misconfigured storage containers.
Legacy systems and lack of automated policy enforcement increase exposure risk.
Interpretation:
High rates of open container alerts signal the need for regular configuration audits and automated security policies.
Organizations should prioritize closing public access and monitoring for changes in container exposure.
Anonymous Access & Data Exfiltration Alerts
Ranking: Present across industries, especially where sensitive data is stored
Alerts:
Anonymous access anomaly detected (Storage.Blob_AnonymousAccessAnomaly)
Data exfiltration detected: unusual amount/number of blobs (Storage.Blob_DataExfiltration.AmountOfDataAnomaly, Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly)
Why it happens:
Attackers may attempt to access data anonymously or exfiltrate large volumes of data.
Weak access controls or lack of monitoring can enable these behaviors.
Interpretation:
These alerts should trigger immediate investigation and remediation.
Organizations must enforce strict access controls and monitor for abnormal data movement.
Key Takeaways Across Industries
Application anomaly and geo-anomaly alerts are universal, reflecting the challenges of managing automation and global access in modern cloud environments.
Malware-related alerts are especially critical in sectors handling sensitive or regulated data, indicating active targeting by threat actors.
Open container and capacity alerts reveal operational and configuration risks, often tied to rapid scaling and cloud adoption.
Interpreting these trends:
High alert shares for specific patterns should drive targeted investments in security controls, monitoring, and automation.
Industries must adapt their security strategies to their unique risk profiles, balancing innovation with robust protection.
1.3 Protect storage accounts from threats
To address these challenges, Microsoft Defender for Cloud Storage Security offers:
- Real-time monitoring of storage-related threats: Identifies unusual access patterns with direct integration with Azure.
- Detect and mitigate with threat intelligence: understand threat context and reduce false positives.
- Integration with Defender XDR: Provides unified threat correlation, investigation and triaging with industry leading SIEM integration.
2.0 Malware in Storage: A Growing Threat
Based on the findings from section 1, let’s analyze which industry receives the most amount of malware related threats:
2.1 Top Findings
Healthcare:
Malware found in blob (8.6%)
Malware download detected (5.5%)
Malware hash reputation (4.6%)
Total malware-related share: ~18.7%
Finance:
Malware found in blob (4.5%)
Malware download detected (3.9%)
Malware hash reputation (4.6%)
Total malware-related share: ~13%
Manufacturing:
Malware found in blob (8.5%)
Malware download detected (2.7%)
Malware hash reputation (3.3%)
Total malware-related share: ~14.5%
Software:
Malware found in blob (7.8%)
Malware download detected (5.9%)
Malware hash reputation (15.6%)
Total malware-related share: ~29.3% (notably high due to hash reputation alert)
Energy:
Malware hash reputation (4.2%)
Malware found in blob (not top 7)
Malware download detected (not top 7)
Total malware-related share: ~4.2% (lower than other sectors)
2.2 Analysis
Software industry has the highest ranked malware alerts, especially due to a very high share for “Malware hash reputation” (15.6%) and significant shares for “Malware found in blob” and “Malware download detected.” Healthcare also has a high combined share of malware alerts, but not as high as software. Finance, Manufacturing, and Energy have lower shares for malware alerts compared to software and healthcare.
How to Read This Trend
- Software companies are likely targeted more for malware due to their high volume of code, frequent file exchanges, and integration with many external sources.
- Healthcare is also a prime target because of sensitive patient data (e.g. electronic medical records) and regulatory requirements.
- If your organization is in software or healthcare, pay extra attention to malware scanning, automated remediation, and threat intelligence integration. Regularly review and update malware protection policies.
2.3 How Microsoft Helps Prevent Malware Spread
Defender for Cloud mitigates these risks by:
- Scanning for malicious content on upload or on demand, in storage accounts
- Automatic remediation after suspicious uploads
- Integrating with threat intelligence for threat context correlation, advance investigation and threat response.
To learn more about Malware Scanning in Defender for Cloud, visit: Introduction to Defender for Storage malware scanning - Microsoft Defender for Cloud | Microsoft Learn
3.0 Conclusion
As cloud and AI adoption accelerate, storage security is now essential for every industry. Microsoft Defender for Cloud storage security telemetry shows that the most frequent alerts—like suspicious application access, geo-anomalies, and malware detection—reflect both evolving threats and the realities of modern operations.
These trends highlight the need for proactive monitoring, and strong threat detection and mitigation. Defender for Cloud helps organizations stay ahead of risks, protect critical data, and enable safe innovation in the cloud.
Learn more about Defender for Cloud storage security:
Microsoft Defender for Cloud | Microsoft Security
Start a free Azure trial.
Read more about Microsoft Defender for Cloud Storage Security here.
4.0 Appendix: Detailed Data for Top Industry-Specific Alerts
4.1 Finance Industry
| Alert Type | Tag | Description | Share (%) |
|---|---|---|---|
| Access from a suspicious application | Storage.Blob_ApplicationAnomaly | Blob accessed using a suspicious/uncommon application | 34.40 |
| Access from an unusual location | Storage.Blob_GeoAnomaly | Blob accessed from a geographic location that deviates from typical patterns | 23.10 |
| Access from an unusual location (Azure Files) | Storage.Files_GeoAnomaly | Azure Files share accessed from an unexpected geographic region | 7.90 |
| Access from a suspicious application (Files) | Storage.Files_ApplicationAnomaly | Azure Files share accessed using a suspicious application | 7.80 |
| Failed attempt to scan open containers | Storage.Blob_OpenContainersScanning.FailedAttempt | Failed attempt to scan publicly accessible containers for security risks | 6.40 |
| Access from IP with suspicious file hash | Storage.Blob_MalwareHashReputation | Blob accessed from an IP with known malicious file hashes | 4.60 |
| Malware found in blob | Storage.Blob_AM.MalwareFound | Malware detected within a blob during scanning | 4.50 |
| Malware download detected | Storage.Blob_MalwareDownload | Blob download activity suggests malware distribution | 3.90 |
| Anonymous access anomaly detected | Storage.Blob_AnonymousAccessAnomaly | Blob accessed anonymously in an abnormal way | 3.30 |
| Data exfiltration: unusual amount of data | Storage.Blob_DataExfiltration.AmountOfDataAnomaly | Large volume of data accessed/downloaded, possible exfiltration | 2.20 |
4.2 Healthcare Industry
| Alert Type | Tag | Description | Share (%) |
|---|---|---|---|
| Access from a suspicious application | Storage.Blob_ApplicationAnomaly | Blob accessed using a suspicious/uncommon application | 42.40 |
| Access from an unusual location | Storage.Blob_GeoAnomaly | Blob accessed from a geographic location that deviates from typical patterns | 17.10 |
| Access from a suspicious application (Files) | Storage.Files_ApplicationAnomaly | Azure Files share accessed using a suspicious application | 9.70 |
| Malware found in blob | Storage.Blob_AM.MalwareFound | Malware detected within a blob during scanning | 8.60 |
| Access from an unusual location (Files) | Storage.Files_GeoAnomaly | Azure Files share accessed from an unexpected geographic region | 8.20 |
| Malware download detected | Storage.Blob_MalwareDownload | Blob download activity suggests malware distribution | 5.50 |
| Access from IP with suspicious file hash | Storage.Blob_MalwareHashReputation | Blob accessed from an IP with known malicious file hashes | 4.60 |
| Failed attempt to scan open containers | Storage.Blob_OpenContainersScanning.FailedAttempt | Failed attempt to scan publicly accessible containers for security risks | 4.10 |
4.3 Manufacturing Industry
| Alert Type | Tag | Description | Share (%) |
|---|---|---|---|
| Access from a suspicious application | Storage.Blob_ApplicationAnomaly | Blob accessed using a suspicious/uncommon application | 28.70 |
| Access from an unusual location | Storage.Blob_GeoAnomaly | Blob accessed from a geographic location that deviates from typical patterns | 24.10 |
| Access from a suspicious application (Files) | Storage.Files_ApplicationAnomaly | Azure Files share accessed using a suspicious application | 9.40 |
| Failed attempt to scan open containers | Storage.Blob_OpenContainersScanning.FailedAttempt | Failed attempt to scan publicly accessible containers for security risks | 8.90 |
| Malware found in blob | Storage.Blob_AM.MalwareFound | Malware detected within a blob during scanning | 8.50 |
| Access from an unusual location (Files) | Storage.Files_GeoAnomaly | Azure Files share accessed from an unexpected geographic region | 7.00 |
| Anonymous access anomaly detected | Storage.Blob_AnonymousAccessAnomaly | Blob accessed anonymously in an abnormal way | 5.20 |
| Access from IP with suspicious file hash | Storage.Blob_MalwareHashReputation | Blob accessed from an IP with known malicious file hashes | 3.30 |
| Malware download detected | Storage.Blob_MalwareDownload | Blob download activity suggests malware distribution | 2.70 |
| Data exfiltration: unusual number of blobs | Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly | Unusual number of blobs accessed, possible exfiltration | 2.30 |
4.4 Software Industry
| Alert Type | Tag | Description | Share (%) |
|---|---|---|---|
| Access from a suspicious application | Storage.Blob_ApplicationAnomaly | Blob accessed using a suspicious/uncommon application | 22.20 |
| Access from an unusual location | Storage.Blob_GeoAnomaly | Blob accessed from a geographic location that deviates from typical patterns | 16.40 |
| Access from IP with suspicious file hash | Storage.Blob_MalwareHashReputation | Blob accessed from an IP with known malicious file hashes | 15.60 |
| Access from a suspicious application (Files) | Storage.Files_ApplicationAnomaly | Azure Files share accessed using a suspicious application | 8.10 |
| Malware found in blob | Storage.Blob_AM.MalwareFound | Malware detected within a blob during scanning | 7.80 |
| Failed attempt to scan open containers | Storage.Blob_OpenContainersScanning.FailedAttempt | Failed attempt to scan publicly accessible containers for security risks | 7.10 |
| Malware download detected | Storage.Blob_MalwareDownload | Blob download activity suggests malware distribution | 5.90 |
| Anonymous access anomaly detected | Storage.Blob_AnonymousAccessAnomaly | Blob accessed anonymously in an abnormal way | 5.50 |
| Access from an unusual location (Files) | Storage.Files_GeoAnomaly | Azure Files share accessed from an unexpected geographic region | 5.50 |
| Data exfiltration: unusual amount of data | Storage.Blob_DataExfiltration.AmountOfDataAnomaly | Large volume of data accessed/downloaded, possible exfiltration | 3.30 |
| Data exfiltration: unusual number of blobs | Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly | Unusual number of blobs accessed, possible exfiltration | 2.50 |
4.5 Energy Industry
| Alert Type | Tag | Description | Share (%) |
|---|---|---|---|
| Access from a suspicious application | Storage.Blob_ApplicationAnomaly | Blob accessed using a suspicious/uncommon application | 38.60 |
| Access from an unusual location | Storage.Blob_GeoAnomaly | Blob accessed from a geographic location that deviates from typical patterns | 22.60 |
| Successful discovery of open containers | Storage.Blob_OpenContainersScanning.SuccessfulDiscovery | Publicly accessible containers discovered during scanning, exposure risk | 13.50 |
| Access from a suspicious application (Files) | Storage.Files_ApplicationAnomaly | Azure Files share accessed using a suspicious application | 10.20 |
| Access from an unusual location (Files) | Storage.Files_GeoAnomaly | Azure Files share accessed from an unexpected geographic region | 5.90 |
| Failed attempt to scan open containers | Storage.Blob_OpenContainersScanning.FailedAttempt | Failed attempt to scan publicly accessible containers for security risks | 3.0 |
Microsoft