T1585.003 Elastic Security · Elastic

Detect Cloud Accounts in Elastic Security

Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.003 Cloud Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  // Detection 1: External Teams accounts with IT/helpdesk impersonation keywords (Storm-1811 TTP)
  (event.dataset == "o365.audit" and
   o365.audit.Workload == "MicrosoftTeams" and
   event.action in ("MessageSent", "ChatCreated", "MeetingInvited") and
   (
     user.email like~ "*helpdesk*" or user.email like~ "*itsupport*" or
     user.email like~ "*servicedesk*" or user.email like~ "*techsupport*" or
     user.email like~ "*itadmin*" or user.email like~ "*sysadmin*" or
     user.email like~ "*microsoftsupport*" or user.email like~ "*o365support*" or
     user.email like~ "*m365support*"
   ) and
   not user.email like~ "*@yourdomain.com"
  )
  or
  // Detection 2: Suspicious OAuth consent grants to cloud storage applications
  (event.dataset == "azure.auditlogs" and
   event.action == "Consent to application" and
   (
     azure.auditlogs.properties.target_resources.0.display_name like~ "*Dropbox*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*MEGA*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*pCloud*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*Sync.com*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*MediaFire*" or
     azure.auditlogs.properties.target_resources.0.display_name like~ "*Box*"
   )
  )
  or
  // Detection 3: Risky guest sign-ins to Microsoft cloud applications from non-corporate networks
  (event.dataset == "azure.signinlogs" and
   azure.signinlogs.properties.user_type == "Guest" and
   azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium") and
   (
     azure.signinlogs.properties.app_display_name like~ "*Teams*" or
     azure.signinlogs.properties.app_display_name like~ "*SharePoint*" or
     azure.signinlogs.properties.app_display_name like~ "*OneDrive*" or
     azure.signinlogs.properties.app_display_name like~ "*Office 365*"
   ) and
   not azure.signinlogs.properties.network_location_details like~ "*corpnet*"
  )
high severity medium confidence

Detects T1585.003 Cloud Accounts adversary TTPs across three observable patterns within the victim environment: (1) external Microsoft Teams accounts containing IT/helpdesk impersonation keywords in the sender UPN — the specific vishing persona technique used by Storm-1811 to conduct fake IT support calls via Teams; (2) Azure AD OAuth consent grants to adversary-favored cloud storage platforms used for exfiltration staging or payload hosting; (3) high/medium risk Azure AD guest sign-ins to Microsoft cloud services from non-corporate network locations. Requires the Elastic Microsoft 365 and Azure Active Directory integrations with index patterns logs-o365.audit-* and logs-azure.*.

Data Sources

Elastic Microsoft 365 Integration (o365 module)Elastic Azure Active Directory Integration

Required Tables

logs-o365.audit-*logs-azure.auditlogs-*logs-azure.signinlogs-*

False Positives & Tuning

  • Legitimate managed service provider (MSP) helpdesk staff using Microsoft accounts containing 'helpdesk' or 'itsupport' in their UPN who communicate with internal employees via authorized Teams cross-tenant federation
  • Corporate-approved cloud storage OAuth integrations (Dropbox Business, Box Enterprise, pCloud Business) where employees consent through the standard OAuth flow for IT-sanctioned tools not yet on the admin pre-consent list
  • Partner organization guest accounts or remote employees whose Azure ID Protection risk score is elevated to medium due to unfamiliar geographic location or device fingerprint rather than adversary-controlled account activity
Download portable Sigma rule (.yml)

Other platforms for T1585.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate External Teams Account IT Impersonation Contact

    Expected signal: OfficeActivity (M365 Audit Log) with RecordType=MicrosoftTeams, Operation=MessageSent, UserId containing the external account UPN with helpdesk/IT support keywords, CommunicationType=OneOnOne. In KQL: OfficeActivity | where RecordType=='MicrosoftTeams' | where UserId contains 'helpdesk'.

  2. Test 2OAuth Grant to Unauthorized Cloud Storage Application

    Expected signal: AuditLogs table: OperationName='Consent to application', TargetResources[0].displayName matching the cloud storage app name, InitiatedBy.user.userPrincipalName showing the consenting user, InitiatedBy.user.ipAddress for geo-correlation. Event visible in Azure AD audit logs within 15 minutes.

  3. Test 3Simulate Outbound Data Transfer to Cloud Storage Following Adversary Account Contact

    Expected signal: DeviceNetworkEvents: RemoteUrl matching 's3.amazonaws.com' or 'content.dropboxapi.com', InitiatingProcessFileName='aws.exe' or 'curl.exe', SentBytes > 10485760 (10MB). Sysmon Event ID 3 (Network Connection) to destination IPs resolving to cloud storage infrastructure. DNS resolution events (Sysmon Event ID 22) for cloud storage hostnames.

  4. Test 4Guest Account Invitation Burst Simulation

    Expected signal: AuditLogs: OperationName='Invite external user', 6 events within a 1-hour window from the same InvitingUser and SourceIP. Each event contains TargetResources[0].userPrincipalName with '#EXT#' suffix. InviteCount summary exceeds threshold of 5 per hour. Events appear in Azure AD audit logs within 15 minutes.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1585.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.001Social Media AccountsT1585.002Email Accounts

Related Techniques

T1585Establish AccountsT1585.001Social Media AccountsT1585.002Email AccountsT1566.004Spearphishing VoiceT1567.002Exfiltration to Cloud StorageT1608.002Upload ToolT1583.003Virtual Private ServerT1583.007ServerlessT1078.004Cloud AccountsT1530Data from Cloud StorageT1204.001Malicious Link

Same Tactic: Resource Development

Popular Detections