T1585.003 Microsoft Sentinel · KQL

Detect Cloud Accounts in Microsoft Sentinel

Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.003 Cloud Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detection 1: External Microsoft Teams accounts with IT/helpdesk impersonation names (Storm-1811 TTP)
let HelpDeskKeywords = dynamic(["helpdesk", "help desk", "it support", "itsupport", "servicedesk", "service desk", "techsupport", "tech support", "itadmin", "sysadmin", "microsoftsupport", "microsoft support", "o365support", "m365support"]);
let ExternalTeamsMessages = OfficeActivity
| where TimeGenerated > ago(7d)
| where RecordType == "MicrosoftTeams"
| where Operation in ("MessageSent", "ChatCreated", "MeetingInvited")
| where CommunicationType == "OneOnOne" or CommunicationType == "GroupChat"
| extend SenderDomain = tostring(split(UserId, "@")[1])
| where SenderDomain !endswith ".onmicrosoft.com"
| extend SenderNameLower = tolower(tostring(UserId))
| where SenderNameLower has_any (HelpDeskKeywords)
| project TimeGenerated, UserId, SenderDomain, Operation, ClientIP, CommunicationType;
// Detection 2: Suspicious OAuth grants to cloud storage applications from new/unknown accounts
let SuspiciousCloudApps = dynamic(["Dropbox", "MEGA", "Box", "Google Drive", "pCloud", "Sync.com", "MediaFire"]);
let OAuthGrants = AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].displayName)
| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| where AppName has_any (SuspiciousCloudApps)
| project TimeGenerated, UserPrincipalName, AppName, IPAddress, OperationName;
// Detection 3: New external accounts accessing organizational SharePoint/OneDrive from unusual IPs
let NewExternalSignins = AADSignInLogs
| where TimeGenerated > ago(7d)
| where UserType == "Guest"
| where AppDisplayName in ("Microsoft Teams", "SharePoint Online", "OneDrive", "Office 365")
| where RiskLevelDuringSignIn in ("high", "medium")
| where NetworkLocationDetails !contains "corpnet"
| extend CountryCode = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| project TimeGenerated, UserPrincipalName, UserDisplayName, AppDisplayName, IPAddress, CountryCode, City, RiskLevelDuringSignIn, ConditionalAccessStatus;
// Union all detections
union ExternalTeamsMessages, OAuthGrants, NewExternalSignins
| sort by TimeGenerated desc
high severity medium confidence

Detects observable indicators of adversary-controlled cloud account activity within the victim environment. Covers three primary patterns: (1) External Microsoft Teams senders with IT helpdesk impersonation keywords in their identity, consistent with Storm-1811 vishing campaigns; (2) OAuth consent grants to unauthorized cloud storage applications that could be used for exfiltration staging; (3) Risky sign-ins from guest/external accounts accessing organizational cloud services from non-corporate network locations. All three patterns target the usage of adversary cloud accounts rather than the creation event, which occurs externally.

Data Sources

Application Log: Application Log ContentUser Account: User Account AuthenticationNetwork Traffic: Network Traffic ContentMicrosoft Teams Audit LogsAzure Active Directory Sign-in LogsAzure Active Directory Audit Logs

Required Tables

OfficeActivityAuditLogsAADSignInLogs

False Positives & Tuning

  • Legitimate third-party IT support vendors or MSPs contacting employees via Teams with support-themed display names
  • Employees voluntarily consenting to approved cloud storage integrations (Dropbox for Business, Box enterprise) for productivity purposes
  • Guest contractors or partners signing in from international locations for legitimate business collaboration
  • Security awareness training vendors simulating vishing via Teams with IT impersonation personas
Download portable Sigma rule (.yml)

Other platforms for T1585.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate External Teams Account IT Impersonation Contact

    Expected signal: OfficeActivity (M365 Audit Log) with RecordType=MicrosoftTeams, Operation=MessageSent, UserId containing the external account UPN with helpdesk/IT support keywords, CommunicationType=OneOnOne. In KQL: OfficeActivity | where RecordType=='MicrosoftTeams' | where UserId contains 'helpdesk'.

  2. Test 2OAuth Grant to Unauthorized Cloud Storage Application

    Expected signal: AuditLogs table: OperationName='Consent to application', TargetResources[0].displayName matching the cloud storage app name, InitiatedBy.user.userPrincipalName showing the consenting user, InitiatedBy.user.ipAddress for geo-correlation. Event visible in Azure AD audit logs within 15 minutes.

  3. Test 3Simulate Outbound Data Transfer to Cloud Storage Following Adversary Account Contact

    Expected signal: DeviceNetworkEvents: RemoteUrl matching 's3.amazonaws.com' or 'content.dropboxapi.com', InitiatingProcessFileName='aws.exe' or 'curl.exe', SentBytes > 10485760 (10MB). Sysmon Event ID 3 (Network Connection) to destination IPs resolving to cloud storage infrastructure. DNS resolution events (Sysmon Event ID 22) for cloud storage hostnames.

  4. Test 4Guest Account Invitation Burst Simulation

    Expected signal: AuditLogs: OperationName='Invite external user', 6 events within a 1-hour window from the same InvitingUser and SourceIP. Each event contains TargetResources[0].userPrincipalName with '#EXT#' suffix. InviteCount summary exceeds threshold of 5 per hour. Events appear in Azure AD audit logs within 15 minutes.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1585.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.001Social Media AccountsT1585.002Email Accounts

Related Techniques

T1585Establish AccountsT1585.001Social Media AccountsT1585.002Email AccountsT1566.004Spearphishing VoiceT1567.002Exfiltration to Cloud StorageT1608.002Upload ToolT1583.003Virtual Private ServerT1583.007ServerlessT1078.004Cloud AccountsT1530Data from Cloud StorageT1204.001Malicious Link

Same Tactic: Resource Development

Popular Detections