T1585.003 CrowdStrike LogScale · LogScale

Detect Cloud Accounts in CrowdStrike LogScale

Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.003 Cloud Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1585.003 — Cloud Accounts: Teams Impersonation, OAuth Cloud Storage Grants, Risky Guest Sign-ins
// Requires O365 and Azure AD log ingestion via CrowdStrike SIEM Connector or Falcon Data Replicator

#type = "o365:audit" OR #type = "azure:aad:audit" OR #type = "azure:aad:signin"
| filter(
    // Detection 1: External Teams accounts with IT helpdesk impersonation keywords (Storm-1811)
    (
      Workload = "MicrosoftTeams"
      AND in(field=Operation, values=["MessageSent", "ChatCreated", "MeetingInvited"])
      AND UserId = /(?i)(helpdesk|help\.desk|itsupport|it\.support|servicedesk|service\.desk|techsupport|tech\.support|itadmin|sysadmin|microsoftsupport|o365support|m365support)/
    )
    OR
    // Detection 2: OAuth consent to adversary-favored cloud storage platforms
    (
      Operation = "Consent to application"
      AND AppName = /(?i)(dropbox|mega|pcloud|sync\.com|mediafire|box\.com)/
    )
    OR
    // Detection 3: High/medium risk Azure AD guest sign-ins to Microsoft cloud apps
    (
      UserType = "Guest"
      AND in(field=RiskLevelDuringSignIn, values=["high", "medium"])
      AND AppDisplayName = /(?i)(microsoft teams|sharepoint|onedrive|office 365|microsoft 365)/
      AND NOT NetworkLocationDetails = /corpnet/
    )
  )
| eval(
    detection_type = case(
      Workload = "MicrosoftTeams" AND UserId = /(?i)helpdesk|itsupport|servicedesk|techsupport|itadmin|sysadmin/, "Teams_ITImpersonation",
      Operation = "Consent to application", "SuspiciousOAuthGrant",
      UserType = "Guest", "RiskyGuestSignin",
      true(), "Unknown"
    )
  )
| table([timestamp, UserId, AppName, AppDisplayName, UserType, RiskLevelDuringSignIn, ClientIP, Operation, detection_type])
| sort(timestamp, order=desc, limit=500)
high severity medium confidence

CrowdStrike LogScale detection for T1585.003 Cloud Accounts adversary TTPs observable within Microsoft 365 environments. Covers three detection patterns: (1) external Teams accounts containing IT/helpdesk impersonation keywords in the sender UPN — the specific vishing persona technique documented for Storm-1811; (2) OAuth application consent grants to cloud storage platforms (Dropbox, MEGA, pCloud, MediaFire, Box) commonly leveraged by adversaries for exfiltration staging or tool hosting; (3) high/medium risk Azure AD guest sign-ins to Microsoft cloud applications from non-corporate network locations. Requires O365 and Azure AD log ingestion into LogScale via the CrowdStrike SIEM Connector or Falcon Data Replicator. Log type tags (#type) must match your ingestion configuration.

Data Sources

CrowdStrike SIEM Connector (Microsoft Office 365)CrowdStrike SIEM Connector (Azure Active Directory)Falcon Data Replicator

Required Tables

o365:auditazure:aad:auditazure:aad:signin

False Positives & Tuning

  • Third-party helpdesk vendors (MSPs) using Microsoft accounts with 'helpdesk', 'itsupport', or 'servicedesk' in the UPN communicating with internal staff via authorized Teams cross-tenant federation for contracted IT service delivery
  • IT-approved cloud storage OAuth integrations where Dropbox Business, Box, or pCloud have been sanctioned by policy but employees process consent through user-level OAuth rather than admin pre-consent, generating consent events
  • Remote or traveling employees and partner guest accounts whose Azure ID Protection risk scores elevate to medium due to unfamiliar sign-in locations or device changes during legitimate business activity
Download portable Sigma rule (.yml)

Other platforms for T1585.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate External Teams Account IT Impersonation Contact

    Expected signal: OfficeActivity (M365 Audit Log) with RecordType=MicrosoftTeams, Operation=MessageSent, UserId containing the external account UPN with helpdesk/IT support keywords, CommunicationType=OneOnOne. In KQL: OfficeActivity | where RecordType=='MicrosoftTeams' | where UserId contains 'helpdesk'.

  2. Test 2OAuth Grant to Unauthorized Cloud Storage Application

    Expected signal: AuditLogs table: OperationName='Consent to application', TargetResources[0].displayName matching the cloud storage app name, InitiatedBy.user.userPrincipalName showing the consenting user, InitiatedBy.user.ipAddress for geo-correlation. Event visible in Azure AD audit logs within 15 minutes.

  3. Test 3Simulate Outbound Data Transfer to Cloud Storage Following Adversary Account Contact

    Expected signal: DeviceNetworkEvents: RemoteUrl matching 's3.amazonaws.com' or 'content.dropboxapi.com', InitiatingProcessFileName='aws.exe' or 'curl.exe', SentBytes > 10485760 (10MB). Sysmon Event ID 3 (Network Connection) to destination IPs resolving to cloud storage infrastructure. DNS resolution events (Sysmon Event ID 22) for cloud storage hostnames.

  4. Test 4Guest Account Invitation Burst Simulation

    Expected signal: AuditLogs: OperationName='Invite external user', 6 events within a 1-hour window from the same InvitingUser and SourceIP. Each event contains TargetResources[0].userPrincipalName with '#EXT#' suffix. InviteCount summary exceeds threshold of 5 per hour. Events appear in Azure AD audit logs within 15 minutes.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1585.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.001Social Media AccountsT1585.002Email Accounts

Related Techniques

T1585Establish AccountsT1585.001Social Media AccountsT1585.002Email AccountsT1566.004Spearphishing VoiceT1567.002Exfiltration to Cloud StorageT1608.002Upload ToolT1583.003Virtual Private ServerT1583.007ServerlessT1078.004Cloud AccountsT1530Data from Cloud StorageT1204.001Malicious Link

Same Tactic: Resource Development

Popular Detections