Detect Cloud Accounts in Google Chronicle
Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.003 Cloud Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/003/
YARA-L Detection Query
rule t1585_003_teams_it_impersonation {
meta:
author = "Argus Detection Engineering"
description = "External Teams accounts impersonating IT helpdesk personas (Storm-1811 TTP) - T1585.003"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1585.003"
severity = "HIGH"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1585/003/"
events:
$e.metadata.product_name = "Microsoft Teams"
(
$e.metadata.event_type = "NETWORK_CONNECTION" or
$e.metadata.event_type = "USER_COMMUNICATION"
)
re.regex($e.principal.user.email_addresses,
`(?i)(helpdesk|help_desk|help\.desk|itsupport|it_support|servicedesk|service_desk|techsupport|tech_support|itadmin|sysadmin|microsoftsupport|o365support|m365support)`)
not re.regex($e.principal.user.email_addresses, `@yourdomain\.com$`)
condition:
$e
}
rule t1585_003_oauth_cloud_storage_grant {
meta:
author = "Argus Detection Engineering"
description = "OAuth consent granted to adversary-favored cloud storage app for exfiltration or tool staging - T1585.003"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1585.003"
severity = "HIGH"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1585/003/"
events:
$e.metadata.product_name = "Azure Active Directory"
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
re.regex($e.metadata.description, `(?i)consent to application`)
re.regex($e.target.application,
`(?i)(dropbox|mega|pcloud|sync\.com|mediafire|box\.com)`)
condition:
$e
}
rule t1585_003_risky_guest_signin {
meta:
author = "Argus Detection Engineering"
description = "High/medium risk Azure AD guest sign-in to Microsoft cloud services - T1585.003"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1585.003"
severity = "MEDIUM"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1585/003/"
events:
$e.metadata.product_name = "Azure Active Directory"
$e.metadata.event_type = "USER_LOGIN"
$e.principal.user.attribute.roles.name = "Guest"
$e.security_result.severity in ["HIGH", "MEDIUM"]
re.regex($e.target.application,
`(?i)(microsoft teams|sharepoint|onedrive|office 365|microsoft 365)`)
condition:
$e
}Three Chronicle YARA-L 2.0 detection rules for T1585.003 Cloud Accounts: (1) t1585_003_teams_it_impersonation — fires on Microsoft Teams NETWORK_CONNECTION or USER_COMMUNICATION events where the sender UPN contains IT/helpdesk impersonation keywords, matching the Storm-1811 fake IT support vishing TTP; (2) t1585_003_oauth_cloud_storage_grant — fires on Azure AD USER_RESOURCE_ACCESS consent events where the target application matches adversary-preferred cloud storage platforms used for exfiltration or payload hosting; (3) t1585_003_risky_guest_signin — fires on Azure AD USER_LOGIN events for Guest-role accounts where Azure ID Protection severity is HIGH or MEDIUM and the target application is a Microsoft cloud service. All three rules require Chronicle's Microsoft Teams and Azure Active Directory UDM parsers. Replace 'yourdomain.com' in rule 1 with your tenant domain.
Data Sources
Required Tables
False Positives & Tuning
- Third-party managed helpdesk provider accounts with 'helpdesk' or 'itsupport' in the email local-part legitimately federated into the organization's Teams tenant for contracted IT support delivery
- OAuth consent events for enterprise-tier cloud storage applications (Dropbox Business, Box Enterprise) that are approved by IT policy but processed through end-user OAuth consent rather than tenant-wide admin consent
- Guest accounts from trusted partner organizations whose Azure ID Protection risk scores elevate to MEDIUM due to sign-in from home networks or during travel, not attributable to adversary-controlled account usage
Other platforms for T1585.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate External Teams Account IT Impersonation Contact
Expected signal: OfficeActivity (M365 Audit Log) with RecordType=MicrosoftTeams, Operation=MessageSent, UserId containing the external account UPN with helpdesk/IT support keywords, CommunicationType=OneOnOne. In KQL: OfficeActivity | where RecordType=='MicrosoftTeams' | where UserId contains 'helpdesk'.
- Test 2OAuth Grant to Unauthorized Cloud Storage Application
Expected signal: AuditLogs table: OperationName='Consent to application', TargetResources[0].displayName matching the cloud storage app name, InitiatedBy.user.userPrincipalName showing the consenting user, InitiatedBy.user.ipAddress for geo-correlation. Event visible in Azure AD audit logs within 15 minutes.
- Test 3Simulate Outbound Data Transfer to Cloud Storage Following Adversary Account Contact
Expected signal: DeviceNetworkEvents: RemoteUrl matching 's3.amazonaws.com' or 'content.dropboxapi.com', InitiatingProcessFileName='aws.exe' or 'curl.exe', SentBytes > 10485760 (10MB). Sysmon Event ID 3 (Network Connection) to destination IPs resolving to cloud storage infrastructure. DNS resolution events (Sysmon Event ID 22) for cloud storage hostnames.
- Test 4Guest Account Invitation Burst Simulation
Expected signal: AuditLogs: OperationName='Invite external user', 6 events within a 1-hour window from the same InvitingUser and SourceIP. Each event contains TargetResources[0].userPrincipalName with '#EXT#' suffix. InviteCount summary exceeds threshold of 5 per hour. Events appear in Azure AD audit logs within 15 minutes.
References (10)
- https://attack.mitre.org/techniques/T1585/003/
- https://attack.mitre.org/groups/G1046/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/microsoftteams/manage-external-access
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.003/T1585.003.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
Unlock Pro Content
Get the full detection package for T1585.003 including response playbook, investigation guide, and atomic red team tests.