Data Exfiltration Methods and Techniques: A Complete Technical Guide
BlackFog's 2024 threat data shows that data exfiltration techniques have diversified dramatically: DNS tunneling incidents increased 47%, cloud-based exfiltration grew 62%, and encrypted C2 channel usage is now present in 78% of all ransomware attacks. Attackers no longer rely on a single method — they chain multiple exfiltration techniques together, using encrypted HTTPS for bulk transfers, DNS for low-and-slow persistent exfiltration, and cloud services for data staging. Understanding every exfiltration technique in depth is essential for building defences that cover the full attack surface.
Cloud-based exfiltration grew 62% in 2024. Encrypted C2 channels are present in 78% of ransomware attacks.
DNS Tunneling
DNS tunneling encodes stolen data within DNS queries and responses. An attacker sets up a DNS server for a domain they control, then configures malware on the compromised host to send DNS queries with encoded data in the subdomain field. For example, a query for "aGVsbG8gd29ybGQ.exfil.attacker.com" encodes Base64 data within what appears to be a normal DNS lookup. The attacker's DNS server extracts the encoded data from each query. This technique is devastatingly effective because DNS traffic is almost universally allowed through firewalls and rarely inspected by security tools. Most organisations do not log DNS queries at the level required to detect tunneling. A single DNS query can carry approximately 250 bytes of data, and thousands of queries can be sent per minute without triggering volume alerts.
HTTPS Exfiltration
Encrypted HTTPS connections are the most common exfiltration channel because they are functionally invisible to most security tools. The attacker establishes a TLS-encrypted connection to an external server and transfers stolen data as if it were normal web traffic. Because the connection is encrypted, network inspection tools cannot read the content without performing TLS interception (which many organisations avoid due to performance impact and privacy concerns). Attackers frequently use legitimate hosting providers, content delivery networks, and cloud platforms for their exfiltration endpoints, making destination-based blocking difficult. Some sophisticated operations use domain fronting — routing exfiltration traffic through legitimate CDN domains to make it appear as connections to trusted services.
Command-and-Control (C2) Channels
C2 channels are persistent communication links between malware on a compromised host and an attacker-controlled server. Modern C2 frameworks — Cobalt Strike, Sliver, Havoc, Mythic — support encrypted, multiplexed channels that can carry commands inbound and exfiltrate data outbound simultaneously. C2 traffic is designed to mimic legitimate protocols: HTTP/HTTPS beacons that look like normal web browsing, DNS queries that appear routine, and even traffic disguised as legitimate application protocols. Advanced C2 implementations use jittering (randomising beacon intervals), domain rotation, and encrypted payloads to evade detection. The C2 channel is present in 78% of ransomware attacks as the primary mechanism for both controlling the ransomware deployment and exfiltrating data pre-encryption.
Cloud Storage Abuse
Attackers increasingly use legitimate cloud storage services — Google Drive, OneDrive, Dropbox, AWS S3, Azure Blob Storage — as exfiltration destinations. This technique exploits a critical blind spot in most security architectures: cloud service traffic is whitelisted because employees use these services for legitimate work. An attacker who has compromised an endpoint can upload stolen data to a cloud service using the same APIs and credentials that legitimate applications use. The data appears as normal cloud sync activity. Some threat groups create their own cloud storage accounts for exfiltration, while others abuse the organisation's own cloud accounts, making the exfiltration even harder to distinguish from legitimate activity. Cloud-based exfiltration grew 62% in 2024 as organisations migrated more operations to cloud environments.
Steganography
Steganography hides data within other files — typically images, audio, or video — by making imperceptible modifications to the file content. A single high-resolution image can conceal megabytes of stolen data without any visible change. The modified file can then be uploaded to a website, sent via email, or transferred through any channel that allows image sharing. Security tools that inspect file types or scan for known data patterns will see only an innocent image file. Steganographic exfiltration is particularly effective against DLP tools because the stolen data is invisible to content inspection. Detection requires specialised steganalysis tools that compare files against their expected statistical properties — a capability that most organisations do not deploy.
Email-Based Exfiltration
Email remains a viable exfiltration channel, particularly for insider threats and compromised account scenarios. An attacker with access to a corporate email account can attach files and send them to external addresses. More sophisticated approaches use automated scripts to forward emails containing sensitive data to external addresses, modify email rules to BCC copies of all incoming mail to an external address, or use email APIs to extract mailbox contents programmatically. Email-based exfiltration is often overlooked because organisations focus their email security on inbound threats (phishing, malware delivery) rather than outbound data leakage. Even organisations with DLP policies on email often exclude encrypted attachments and password-protected files from inspection.
USB and Physical Media
Physical exfiltration via USB drives, external hard drives, mobile phone cameras, or even printed documents remains a significant threat, particularly from malicious insiders. A disgruntled employee with legitimate access to sensitive data can copy gigabytes to a USB device in minutes. Physical exfiltration bypasses all network-level security controls — there is no network traffic to inspect, no DNS queries to analyse, no C2 channel to detect. Defences include USB device control policies, endpoint DLP agents that monitor removable media, and physical security controls. However, organisations increasingly rely on BYOD devices that are difficult to restrict, and smartphone cameras can capture screen content that no software control can prevent.
Database Exfiltration
Database exfiltration targets the structured data repositories where organisations store their most valuable information: customer records, financial data, intellectual property, and business intelligence. Attackers who gain access to database servers — through SQL injection, stolen credentials, or lateral movement — can extract entire databases using native database tools. Techniques include using SELECT INTO OUTFILE to export data to files, replicating databases to external servers using built-in replication features, and querying data through application APIs that present results in extractable formats. Large-scale database exfiltration events — such as the Equifax breach (147 million records) and the MOVEit attacks (millions of records across thousands of organisations) — demonstrate that once an attacker reaches the database, extraction is often trivial.
How BlackFog Defends Against Every Exfiltration Method
BlackFog's ADX platform monitors all outbound network traffic at the device level, covering every exfiltration channel described above. DNS tunneling is detected through analysis of query patterns, subdomain entropy, and query volume. HTTPS exfiltration is caught by evaluating destination reputation, connection patterns, and transfer volumes. C2 channels are blocked by identifying beacon patterns and known C2 infrastructure. Cloud storage abuse is prevented by monitoring API calls and data volumes to cloud services. Email exfiltration is controlled through outbound attachment and API monitoring. The only exfiltration method that ADX cannot directly address is physical media — but BlackFog's endpoint agent can detect and alert on USB device connections and large file copies to removable media, providing visibility into this vector as well.
Block every exfiltration technique with BlackFog ADX
Kyanite Blue is an authorised BlackFog partner. We deploy, manage, and support ADX for organisations across every sector.
Get in touchReady to stop data exfiltration?
Start with a free 30-day BlackFog assessment — 25 devices, no obligation.