Detect Cloud Accounts in Splunk
Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.003 Cloud Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/003/
SPL Detection Query
| union
[
search index=o365 sourcetype="o365:management:activity" Workload=MicrosoftTeams Operation IN ("MessageSent","ChatCreated","MeetingInvited")
| eval SenderDomain=mvindex(split(UserId,"@"),1)
| eval SenderNameLower=lower(UserId)
| where match(SenderNameLower, "(helpdesk|help.desk|it.support|itsupport|servicedesk|service.desk|techsupport|tech.support|itadmin|sysadmin|microsoftsupport|o365support|m365support)")
| where NOT match(SenderDomain, "yourdomain\.com$")
| eval detection_type="Teams_ITImpersonation"
| table _time, UserId, SenderDomain, Operation, ClientIP, detection_type
]
[
search index=o365 sourcetype="o365:management:activity" Operation="Consent to application"
| spath input=TargetResources{} path=displayName output=AppName
| spath input=InitiatedBy.user path=userPrincipalName output=UserPrincipalName
| spath input=InitiatedBy.user path=ipAddress output=IPAddress
| where match(AppName, "(?i)(dropbox|mega|box\.com|pcloud|sync\.com|mediafire)")
| eval detection_type="SuspiciousOAuthGrant"
| table _time, UserPrincipalName, AppName, IPAddress, detection_type
]
[
search index=azure sourcetype="azure:aad:signin" UserType=Guest RiskLevelDuringSignIn IN ("high","medium")
| eval AppDisplayName=coalesce(AppDisplayName, "unknown")
| where match(AppDisplayName, "(?i)(teams|sharepoint|onedrive|office 365)")
| eval NetworkLocation=coalesce(NetworkLocationDetails,"external")
| where NOT match(NetworkLocation, "corpnet")
| spath input=LocationDetails path=countryOrRegion output=CountryCode
| eval detection_type="RiskyGuestSignin"
| table _time, UserPrincipalName, UserDisplayName, AppDisplayName, IPAddress, CountryCode, RiskLevelDuringSignIn, detection_type
]
| sort - _timeDetects adversary-controlled cloud account activity across three sub-patterns using O365 audit logs and Azure AD sign-in logs: (1) Microsoft Teams messages from external senders whose identity contains IT support impersonation keywords (Storm-1811 pattern); (2) OAuth application consent grants to unauthorized cloud storage providers that could be used as exfiltration drop zones; (3) Risky guest/external account sign-ins to organizational cloud services originating outside corporate network boundaries. Requires o365:management:activity and azure:aad:signin sourcetypes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate MSP or vendor support staff contacting via Teams with support-themed account names
- Employees granting OAuth access to approved cloud storage tools for legitimate business workflows
- Traveling employees or remote workers signing in from international locations triggering risky sign-in policies
- Security red team exercises simulating cloud account abuse scenarios
Other platforms for T1585.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate External Teams Account IT Impersonation Contact
Expected signal: OfficeActivity (M365 Audit Log) with RecordType=MicrosoftTeams, Operation=MessageSent, UserId containing the external account UPN with helpdesk/IT support keywords, CommunicationType=OneOnOne. In KQL: OfficeActivity | where RecordType=='MicrosoftTeams' | where UserId contains 'helpdesk'.
- Test 2OAuth Grant to Unauthorized Cloud Storage Application
Expected signal: AuditLogs table: OperationName='Consent to application', TargetResources[0].displayName matching the cloud storage app name, InitiatedBy.user.userPrincipalName showing the consenting user, InitiatedBy.user.ipAddress for geo-correlation. Event visible in Azure AD audit logs within 15 minutes.
- Test 3Simulate Outbound Data Transfer to Cloud Storage Following Adversary Account Contact
Expected signal: DeviceNetworkEvents: RemoteUrl matching 's3.amazonaws.com' or 'content.dropboxapi.com', InitiatingProcessFileName='aws.exe' or 'curl.exe', SentBytes > 10485760 (10MB). Sysmon Event ID 3 (Network Connection) to destination IPs resolving to cloud storage infrastructure. DNS resolution events (Sysmon Event ID 22) for cloud storage hostnames.
- Test 4Guest Account Invitation Burst Simulation
Expected signal: AuditLogs: OperationName='Invite external user', 6 events within a 1-hour window from the same InvitingUser and SourceIP. Each event contains TargetResources[0].userPrincipalName with '#EXT#' suffix. InviteCount summary exceeds threshold of 5 per hour. Events appear in Azure AD audit logs within 15 minutes.
References (10)
- https://attack.mitre.org/techniques/T1585/003/
- https://attack.mitre.org/groups/G1046/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/microsoftteams/manage-external-access
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.003/T1585.003.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
Unlock Pro Content
Get the full detection package for T1585.003 including response playbook, investigation guide, and atomic red team tests.