Detect Cloud Accounts in IBM QRadar
Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.003 Cloud Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/003/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
username,
sourceip AS source_ip,
QIDNAME(qid) AS event_name,
LOGSOURCETYPENAME(devicetype) AS log_source_type,
"AppName" AS app_name,
"AppDisplayName" AS app_display_name,
"UserType" AS user_type,
"RiskLevelDuringSignIn" AS risk_level,
CASE
WHEN LOWER(username) MATCHES '.*(?:helpdesk|itsupport|servicedesk|techsupport|itadmin|sysadmin|microsoftsupport|o365support|m365support).*'
THEN 'Teams_ITImpersonation'
WHEN "AppName" MATCHES '(?i).*(dropbox|mega|pcloud|sync\.com|mediafire|box\.com).*'
THEN 'SuspiciousOAuthGrant'
WHEN "UserType" = 'Guest'
THEN 'RiskyGuestSignin'
ELSE 'Unknown'
END AS detection_type
FROM events
WHERE
(
(
LOGSOURCETYPENAME(devicetype) LIKE '%Office 365%'
AND (
QIDNAME(qid) LIKE '%MessageSent%' OR
QIDNAME(qid) LIKE '%ChatCreated%' OR
QIDNAME(qid) LIKE '%MeetingInvited%'
)
AND LOWER(username) MATCHES '.*(?:helpdesk|itsupport|servicedesk|techsupport|itadmin|sysadmin|microsoftsupport|o365support|m365support).*'
)
OR
(
LOGSOURCETYPENAME(devicetype) LIKE '%Office 365%'
AND QIDNAME(qid) LIKE '%Consent to application%'
AND "AppName" MATCHES '(?i).*(dropbox|mega|pcloud|sync\.com|mediafire|box\.com).*'
)
OR
(
LOGSOURCETYPENAME(devicetype) LIKE '%Azure%'
AND QIDNAME(qid) LIKE '%Sign-in%'
AND "UserType" = 'Guest'
AND ("RiskLevelDuringSignIn" = 'high' OR "RiskLevelDuringSignIn" = 'medium')
AND (
"AppDisplayName" LIKE '%Teams%' OR
"AppDisplayName" LIKE '%SharePoint%' OR
"AppDisplayName" LIKE '%OneDrive%' OR
"AppDisplayName" LIKE '%Office 365%'
)
)
)
LAST 7 DAYSAQL detection for T1585.003 Cloud Accounts abuse across Microsoft 365 and Azure AD log sources in QRadar. Three adversary patterns are covered: external Teams accounts with IT helpdesk impersonation keywords in the sender username (Storm-1811 vishing campaign TTP), OAuth application consent grants to cloud storage platforms commonly used for adversary exfiltration or payload staging, and high/medium risk Azure AD guest sign-ins to Microsoft cloud services. Custom Event Properties 'AppName', 'AppDisplayName', 'UserType', and 'RiskLevelDuringSignIn' must be defined in QRadar via the Office 365 and Azure AD DSM field mappings.
Data Sources
Required Tables
False Positives & Tuning
- Authorized third-party IT vendor accounts (MSP helpdesk) using Microsoft UPNs containing 'helpdesk' or 'support' communicating with internal staff via Teams federation for contracted IT service delivery
- Sanctioned cloud storage OAuth integrations (Dropbox for Business, Box Enterprise) where employees process consent through the end-user OAuth flow because admin pre-consent has not been configured
- Guest users from trusted partner tenants whose Azure ID Protection risk scores temporarily elevate to medium due to travel-related sign-in location changes not attributable to adversary access
Other platforms for T1585.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate External Teams Account IT Impersonation Contact
Expected signal: OfficeActivity (M365 Audit Log) with RecordType=MicrosoftTeams, Operation=MessageSent, UserId containing the external account UPN with helpdesk/IT support keywords, CommunicationType=OneOnOne. In KQL: OfficeActivity | where RecordType=='MicrosoftTeams' | where UserId contains 'helpdesk'.
- Test 2OAuth Grant to Unauthorized Cloud Storage Application
Expected signal: AuditLogs table: OperationName='Consent to application', TargetResources[0].displayName matching the cloud storage app name, InitiatedBy.user.userPrincipalName showing the consenting user, InitiatedBy.user.ipAddress for geo-correlation. Event visible in Azure AD audit logs within 15 minutes.
- Test 3Simulate Outbound Data Transfer to Cloud Storage Following Adversary Account Contact
Expected signal: DeviceNetworkEvents: RemoteUrl matching 's3.amazonaws.com' or 'content.dropboxapi.com', InitiatingProcessFileName='aws.exe' or 'curl.exe', SentBytes > 10485760 (10MB). Sysmon Event ID 3 (Network Connection) to destination IPs resolving to cloud storage infrastructure. DNS resolution events (Sysmon Event ID 22) for cloud storage hostnames.
- Test 4Guest Account Invitation Burst Simulation
Expected signal: AuditLogs: OperationName='Invite external user', 6 events within a 1-hour window from the same InvitingUser and SourceIP. Each event contains TargetResources[0].userPrincipalName with '#EXT#' suffix. InviteCount summary exceeds threshold of 5 per hour. Events appear in Azure AD audit logs within 15 minutes.
References (10)
- https://attack.mitre.org/techniques/T1585/003/
- https://attack.mitre.org/groups/G1046/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/microsoftteams/manage-external-access
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.003/T1585.003.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
Unlock Pro Content
Get the full detection package for T1585.003 including response playbook, investigation guide, and atomic red team tests.