T1585.003

Cloud Accounts

Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally.

Microsoft Sentinel / Defender

kusto

// Detection 1: External Microsoft Teams accounts with IT/helpdesk impersonation names (Storm-1811 TTP)
let HelpDeskKeywords = dynamic(["helpdesk", "help desk", "it support", "itsupport", "servicedesk", "service desk", "techsupport", "tech support", "itadmin", "sysadmin", "microsoftsupport", "microsoft support", "o365support", "m365support"]);
let ExternalTeamsMessages = OfficeActivity
| where TimeGenerated > ago(7d)
| where RecordType == "MicrosoftTeams"
| where Operation in ("MessageSent", "ChatCreated", "MeetingInvited")
| where CommunicationType == "OneOnOne" or CommunicationType == "GroupChat"
| extend SenderDomain = tostring(split(UserId, "@")[1])
| where SenderDomain !endswith ".onmicrosoft.com"
| extend SenderNameLower = tolower(tostring(UserId))
| where SenderNameLower has_any (HelpDeskKeywords)
| project TimeGenerated, UserId, SenderDomain, Operation, ClientIP, CommunicationType;
// Detection 2: Suspicious OAuth grants to cloud storage applications from new/unknown accounts
let SuspiciousCloudApps = dynamic(["Dropbox", "MEGA", "Box", "Google Drive", "pCloud", "Sync.com", "MediaFire"]);
let OAuthGrants = AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].displayName)
| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| where AppName has_any (SuspiciousCloudApps)
| project TimeGenerated, UserPrincipalName, AppName, IPAddress, OperationName;
// Detection 3: New external accounts accessing organizational SharePoint/OneDrive from unusual IPs
let NewExternalSignins = AADSignInLogs
| where TimeGenerated > ago(7d)
| where UserType == "Guest"
| where AppDisplayName in ("Microsoft Teams", "SharePoint Online", "OneDrive", "Office 365")
| where RiskLevelDuringSignIn in ("high", "medium")
| where NetworkLocationDetails !contains "corpnet"
| extend CountryCode = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| project TimeGenerated, UserPrincipalName, UserDisplayName, AppDisplayName, IPAddress, CountryCode, City, RiskLevelDuringSignIn, ConditionalAccessStatus;
// Union all detections
union ExternalTeamsMessages, OAuthGrants, NewExternalSignins
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Application Log: Application Log Content User Account: User Account Authentication Network Traffic: Network Traffic Content Microsoft Teams Audit Logs Azure Active Directory Sign-in Logs Azure Active Directory Audit Logs

Required Tables

OfficeActivity AuditLogs AADSignInLogs

False Positives

Legitimate third-party IT support vendors or MSPs contacting employees via Teams with support-themed display names
Employees voluntarily consenting to approved cloud storage integrations (Dropbox for Business, Box enterprise) for productivity purposes
Guest contractors or partners signing in from international locations for legitimate business collaboration
Security awareness training vendors simulating vishing via Teams with IT impersonation personas

Splunk

spl

| union
[
  search index=o365 sourcetype="o365:management:activity" Workload=MicrosoftTeams Operation IN ("MessageSent","ChatCreated","MeetingInvited")
  | eval SenderDomain=mvindex(split(UserId,"@"),1)
  | eval SenderNameLower=lower(UserId)
  | where match(SenderNameLower, "(helpdesk|help.desk|it.support|itsupport|servicedesk|service.desk|techsupport|tech.support|itadmin|sysadmin|microsoftsupport|o365support|m365support)")
  | where NOT match(SenderDomain, "yourdomain\.com$")
  | eval detection_type="Teams_ITImpersonation"
  | table _time, UserId, SenderDomain, Operation, ClientIP, detection_type
]
[
  search index=o365 sourcetype="o365:management:activity" Operation="Consent to application"
  | spath input=TargetResources{} path=displayName output=AppName
  | spath input=InitiatedBy.user path=userPrincipalName output=UserPrincipalName
  | spath input=InitiatedBy.user path=ipAddress output=IPAddress
  | where match(AppName, "(?i)(dropbox|mega|box\.com|pcloud|sync\.com|mediafire)")
  | eval detection_type="SuspiciousOAuthGrant"
  | table _time, UserPrincipalName, AppName, IPAddress, detection_type
]
[
  search index=azure sourcetype="azure:aad:signin" UserType=Guest RiskLevelDuringSignIn IN ("high","medium")
  | eval AppDisplayName=coalesce(AppDisplayName, "unknown")
  | where match(AppDisplayName, "(?i)(teams|sharepoint|onedrive|office 365)")
  | eval NetworkLocation=coalesce(NetworkLocationDetails,"external")
  | where NOT match(NetworkLocation, "corpnet")
  | spath input=LocationDetails path=countryOrRegion output=CountryCode
  | eval detection_type="RiskyGuestSignin"
  | table _time, UserPrincipalName, UserDisplayName, AppDisplayName, IPAddress, CountryCode, RiskLevelDuringSignIn, detection_type
]
| sort - _time

high severity medium confidence

Data Sources

Application Log: Application Log Content User Account: User Account Authentication Microsoft Teams Audit Logs Azure AD Sign-in Logs

Required Sourcetypes

o365:management:activity azure:aad:signin

False Positives

Legitimate MSP or vendor support staff contacting via Teams with support-themed account names
Employees granting OAuth access to approved cloud storage tools for legitimate business workflows
Traveling employees or remote workers signing in from international locations triggering risky sign-in policies
Security red team exercises simulating cloud account abuse scenarios

Elastic Security (EQL)

eql

any where
  // Detection 1: External Teams accounts with IT/helpdesk impersonation keywords (Storm-1811 TTP)
  (event.dataset == "o365.audit" and
   o365.audit.Workload == "MicrosoftTeams" and
   event.action in ("MessageSent", "ChatCreated", "MeetingInvited") and
   (
     user.email like~ "*helpdesk*" or user.email like~ "*itsupport*" or
     user.email like~ "*servicedesk*" or user.email like~ "*techsupport*" or
     user.email like~ "*itadmin*" or user.email like~ "*sysadmin*" or
     user.email like~ "*microsoftsupport*" or user.email like~ "*o365support*" or
     user.email like~ "*m365support*"
   ) and
   not user.email like~ "*@yourdomain.com"
  )
  or
  // Detection 2: Suspicious OAuth consent grants to cloud storage applications
  (event.dataset == "azure.auditlogs" and
   event.action == "Consent to application" and
   (
     azure.auditlogs.properties.target_resources.0.display_name like~ "*Dropbox*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*MEGA*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*pCloud*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*Sync.com*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*MediaFire*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*Box*"
   )
  )
  or
  // Detection 3: Risky guest sign-ins to Microsoft cloud applications from non-corporate networks
  (event.dataset == "azure.signinlogs" and
   azure.signinlogs.properties.user_type == "Guest" and
   azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium") and
   (
     azure.signinlogs.properties.app_display_name like~ "*Teams*" or
     azure.signinlogs.properties.app_display_name like~ "*SharePoint*" or
     azure.signinlogs.properties.app_display_name like~ "*OneDrive*" or
     azure.signinlogs.properties.app_display_name like~ "*Office 365*"
   ) and
   not azure.signinlogs.properties.network_location_details like~ "*corpnet*"
  )

high severity medium confidence

Data Sources

Elastic Microsoft 365 Integration (o365 module) Elastic Azure Active Directory Integration

Required Tables

logs-o365.audit-* logs-azure.auditlogs-* logs-azure.signinlogs-*

False Positives

Legitimate managed service provider (MSP) helpdesk staff using Microsoft accounts containing 'helpdesk' or 'itsupport' in their UPN who communicate with internal employees via authorized Teams cross-tenant federation
Corporate-approved cloud storage OAuth integrations (Dropbox Business, Box Enterprise, pCloud Business) where employees consent through the standard OAuth flow for IT-sanctioned tools not yet on the admin pre-consent list
Partner organization guest accounts or remote employees whose Azure ID Protection risk score is elevated to medium due to unfamiliar geographic location or device fingerprint rather than adversary-controlled account activity

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip AS source_ip,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  "AppName" AS app_name,
  "AppDisplayName" AS app_display_name,
  "UserType" AS user_type,
  "RiskLevelDuringSignIn" AS risk_level,
  CASE
    WHEN LOWER(username) MATCHES '.*(?:helpdesk|itsupport|servicedesk|techsupport|itadmin|sysadmin|microsoftsupport|o365support|m365support).*'
      THEN 'Teams_ITImpersonation'
    WHEN "AppName" MATCHES '(?i).*(dropbox|mega|pcloud|sync\.com|mediafire|box\.com).*'
      THEN 'SuspiciousOAuthGrant'
    WHEN "UserType" = 'Guest'
      THEN 'RiskyGuestSignin'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  (
    (
      LOGSOURCETYPENAME(devicetype) LIKE '%Office 365%'
      AND (
        QIDNAME(qid) LIKE '%MessageSent%' OR
        QIDNAME(qid) LIKE '%ChatCreated%' OR
        QIDNAME(qid) LIKE '%MeetingInvited%'
      )
      AND LOWER(username) MATCHES '.*(?:helpdesk|itsupport|servicedesk|techsupport|itadmin|sysadmin|microsoftsupport|o365support|m365support).*'
    )
    OR
    (
      LOGSOURCETYPENAME(devicetype) LIKE '%Office 365%'
      AND QIDNAME(qid) LIKE '%Consent to application%'
      AND "AppName" MATCHES '(?i).*(dropbox|mega|pcloud|sync\.com|mediafire|box\.com).*'
    )
    OR
    (
      LOGSOURCETYPENAME(devicetype) LIKE '%Azure%'
      AND QIDNAME(qid) LIKE '%Sign-in%'
      AND "UserType" = 'Guest'
      AND ("RiskLevelDuringSignIn" = 'high' OR "RiskLevelDuringSignIn" = 'medium')
      AND (
        "AppDisplayName" LIKE '%Teams%' OR
        "AppDisplayName" LIKE '%SharePoint%' OR
        "AppDisplayName" LIKE '%OneDrive%' OR
        "AppDisplayName" LIKE '%Office 365%'
      )
    )
  )
LAST 7 DAYS

high severity medium confidence

Data Sources

IBM QRadar Microsoft Office 365 DSM IBM QRadar Microsoft Azure Active Directory DSM

Required Tables

events

False Positives

Authorized third-party IT vendor accounts (MSP helpdesk) using Microsoft UPNs containing 'helpdesk' or 'support' communicating with internal staff via Teams federation for contracted IT service delivery
Sanctioned cloud storage OAuth integrations (Dropbox for Business, Box Enterprise) where employees process consent through the end-user OAuth flow because admin pre-consent has not been configured
Guest users from trusted partner tenants whose Azure ID Protection risk scores temporarily elevate to medium due to travel-related sign-in location changes not attributable to adversary access

Sumo Logic CSE

sql

(_sourceCategory=*o365* OR _sourceCategory=*azure* OR _sourceCategory=*microsoft365* OR _sourceCategory=*m365*)
| json auto
| where (
    (
      Workload = "MicrosoftTeams"
      AND Operation in ("MessageSent","ChatCreated","MeetingInvited")
      AND tolower(UserId) matches /helpdesk|help\.desk|itsupport|it\.support|servicedesk|service\.desk|techsupport|tech\.support|itadmin|sysadmin|microsoftsupport|o365support|m365support/
    )
    OR
    (
      OperationName = "Consent to application"
      AND tolower(AppName) matches /dropbox|mega|pcloud|sync\.com|mediafire|box\.com/
    )
    OR
    (
      UserType = "Guest"
      AND RiskLevelDuringSignIn in ("high","medium")
      AND tolower(AppDisplayName) matches /teams|sharepoint|onedrive|office 365|microsoft 365/
      AND !(NetworkLocationDetails matches /corpnet/)
    )
  )
| eval detection_type = if(
    Workload = "MicrosoftTeams" AND tolower(UserId) matches /helpdesk|itsupport|servicedesk|techsupport|itadmin|sysadmin/,
    "Teams_ITImpersonation",
    if(
      OperationName = "Consent to application",
      "SuspiciousOAuthGrant",
      "RiskyGuestSignin"
    )
  )
| tostring ClientIP as ClientIP
| tostring AppName as AppName
| tostring AppDisplayName as AppDisplayName
| tostring RiskLevelDuringSignIn as RiskLevelDuringSignIn
| tostring NetworkLocationDetails as NetworkLocationDetails
| fields _messagetime, UserId, ClientIP, Operation, OperationName, AppName, AppDisplayName, UserType, RiskLevelDuringSignIn, NetworkLocationDetails, detection_type
| sort by _messagetime desc

high severity medium confidence

Data Sources

Sumo Logic Microsoft Office 365 Source Sumo Logic Azure Active Directory Source

Required Tables

O365 audit logs Azure AD audit logs Azure AD sign-in logs

False Positives

Contracted MSP helpdesk technicians whose Microsoft accounts include 'helpdesk' or 'itsupport' in the UPN legitimately using Teams federation to deliver IT support to internal employees
Employees completing OAuth consent flows for IT-approved cloud storage integrations (Dropbox, Box) that have not yet been pre-consented at the admin tenant level, appearing as user-level consent events
Frequent travelers or remote workers whose sign-in locations cause Azure ID Protection to elevate risk scores to medium for guest-federated or B2B accounts during normal business activity

Google Chronicle / SecOps

yaral

rule t1585_003_teams_it_impersonation {
  meta:
    author = "Argus Detection Engineering"
    description = "External Teams accounts impersonating IT helpdesk personas (Storm-1811 TTP) - T1585.003"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1585/003/"

  events:
    $e.metadata.product_name = "Microsoft Teams"
    (
      $e.metadata.event_type = "NETWORK_CONNECTION" or
      $e.metadata.event_type = "USER_COMMUNICATION"
    )
    re.regex($e.principal.user.email_addresses,
      `(?i)(helpdesk|help_desk|help\.desk|itsupport|it_support|servicedesk|service_desk|techsupport|tech_support|itadmin|sysadmin|microsoftsupport|o365support|m365support)`)
    not re.regex($e.principal.user.email_addresses, `@yourdomain\.com$`)

  condition:
    $e
}

rule t1585_003_oauth_cloud_storage_grant {
  meta:
    author = "Argus Detection Engineering"
    description = "OAuth consent granted to adversary-favored cloud storage app for exfiltration or tool staging - T1585.003"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1585/003/"

  events:
    $e.metadata.product_name = "Azure Active Directory"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    re.regex($e.metadata.description, `(?i)consent to application`)
    re.regex($e.target.application,
      `(?i)(dropbox|mega|pcloud|sync\.com|mediafire|box\.com)`)

  condition:
    $e
}

rule t1585_003_risky_guest_signin {
  meta:
    author = "Argus Detection Engineering"
    description = "High/medium risk Azure AD guest sign-in to Microsoft cloud services - T1585.003"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585.003"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1585/003/"

  events:
    $e.metadata.product_name = "Azure Active Directory"
    $e.metadata.event_type = "USER_LOGIN"
    $e.principal.user.attribute.roles.name = "Guest"
    $e.security_result.severity in ["HIGH", "MEDIUM"]
    re.regex($e.target.application,
      `(?i)(microsoft teams|sharepoint|onedrive|office 365|microsoft 365)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle Microsoft Teams UDM parser Chronicle Azure Active Directory UDM parser

Required Tables

UDM events (metadata.product_name: Microsoft Teams) UDM events (metadata.product_name: Azure Active Directory)

False Positives

Third-party managed helpdesk provider accounts with 'helpdesk' or 'itsupport' in the email local-part legitimately federated into the organization's Teams tenant for contracted IT support delivery
OAuth consent events for enterprise-tier cloud storage applications (Dropbox Business, Box Enterprise) that are approved by IT policy but processed through end-user OAuth consent rather than tenant-wide admin consent
Guest accounts from trusted partner organizations whose Azure ID Protection risk scores elevate to MEDIUM due to sign-in from home networks or during travel, not attributable to adversary-controlled account usage

CrowdStrike LogScale (CQL)

cql

// T1585.003 — Cloud Accounts: Teams Impersonation, OAuth Cloud Storage Grants, Risky Guest Sign-ins
// Requires O365 and Azure AD log ingestion via CrowdStrike SIEM Connector or Falcon Data Replicator

#type = "o365:audit" OR #type = "azure:aad:audit" OR #type = "azure:aad:signin"
| filter(
    // Detection 1: External Teams accounts with IT helpdesk impersonation keywords (Storm-1811)
    (
      Workload = "MicrosoftTeams"
      AND in(field=Operation, values=["MessageSent", "ChatCreated", "MeetingInvited"])
      AND UserId = /(?i)(helpdesk|help\.desk|itsupport|it\.support|servicedesk|service\.desk|techsupport|tech\.support|itadmin|sysadmin|microsoftsupport|o365support|m365support)/
    )
    OR
    // Detection 2: OAuth consent to adversary-favored cloud storage platforms
    (
      Operation = "Consent to application"
      AND AppName = /(?i)(dropbox|mega|pcloud|sync\.com|mediafire|box\.com)/
    )
    OR
    // Detection 3: High/medium risk Azure AD guest sign-ins to Microsoft cloud apps
    (
      UserType = "Guest"
      AND in(field=RiskLevelDuringSignIn, values=["high", "medium"])
      AND AppDisplayName = /(?i)(microsoft teams|sharepoint|onedrive|office 365|microsoft 365)/
      AND NOT NetworkLocationDetails = /corpnet/
    )
  )
| eval(
    detection_type = case(
      Workload = "MicrosoftTeams" AND UserId = /(?i)helpdesk|itsupport|servicedesk|techsupport|itadmin|sysadmin/, "Teams_ITImpersonation",
      Operation = "Consent to application", "SuspiciousOAuthGrant",
      UserType = "Guest", "RiskyGuestSignin",
      true(), "Unknown"
    )
  )
| table([timestamp, UserId, AppName, AppDisplayName, UserType, RiskLevelDuringSignIn, ClientIP, Operation, detection_type])
| sort(timestamp, order=desc, limit=500)

high severity medium confidence

Data Sources

CrowdStrike SIEM Connector (Microsoft Office 365) CrowdStrike SIEM Connector (Azure Active Directory) Falcon Data Replicator

Required Tables

o365:audit azure:aad:audit azure:aad:signin

False Positives

Third-party helpdesk vendors (MSPs) using Microsoft accounts with 'helpdesk', 'itsupport', or 'servicedesk' in the UPN communicating with internal staff via authorized Teams cross-tenant federation for contracted IT service delivery
IT-approved cloud storage OAuth integrations where Dropbox Business, Box, or pCloud have been sanctioned by policy but employees process consent through user-level OAuth rather than admin pre-consent, generating consent events
Remote or traveling employees and partner guest accounts whose Azure ID Protection risk scores elevate to medium due to unfamiliar sign-in locations or device changes during legitimate business activity

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1585.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Cloud Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections