Detect Cloud Accounts in Sumo Logic CSE
Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.003 Cloud Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/003/
Sumo Detection Query
(_sourceCategory=*o365* OR _sourceCategory=*azure* OR _sourceCategory=*microsoft365* OR _sourceCategory=*m365*)
| json auto
| where (
(
Workload = "MicrosoftTeams"
AND Operation in ("MessageSent","ChatCreated","MeetingInvited")
AND tolower(UserId) matches /helpdesk|help\.desk|itsupport|it\.support|servicedesk|service\.desk|techsupport|tech\.support|itadmin|sysadmin|microsoftsupport|o365support|m365support/
)
OR
(
OperationName = "Consent to application"
AND tolower(AppName) matches /dropbox|mega|pcloud|sync\.com|mediafire|box\.com/
)
OR
(
UserType = "Guest"
AND RiskLevelDuringSignIn in ("high","medium")
AND tolower(AppDisplayName) matches /teams|sharepoint|onedrive|office 365|microsoft 365/
AND !(NetworkLocationDetails matches /corpnet/)
)
)
| eval detection_type = if(
Workload = "MicrosoftTeams" AND tolower(UserId) matches /helpdesk|itsupport|servicedesk|techsupport|itadmin|sysadmin/,
"Teams_ITImpersonation",
if(
OperationName = "Consent to application",
"SuspiciousOAuthGrant",
"RiskyGuestSignin"
)
)
| tostring ClientIP as ClientIP
| tostring AppName as AppName
| tostring AppDisplayName as AppDisplayName
| tostring RiskLevelDuringSignIn as RiskLevelDuringSignIn
| tostring NetworkLocationDetails as NetworkLocationDetails
| fields _messagetime, UserId, ClientIP, Operation, OperationName, AppName, AppDisplayName, UserType, RiskLevelDuringSignIn, NetworkLocationDetails, detection_type
| sort by _messagetime descSumo Logic detection for T1585.003 Cloud Accounts adversary activity observable within Microsoft 365 and Azure AD environments. Identifies three attack patterns: external Teams accounts with IT/helpdesk impersonation keywords targeting internal employees (Storm-1811 vishing technique), OAuth application consent grants to adversary-favored cloud storage platforms used for exfiltration or tool staging, and high/medium risk Azure AD guest sign-ins to Microsoft cloud services from non-corporate networks. Requires O365 and Azure AD log sources with the appropriate _sourceCategory assignments. Field extraction depends on your DSM parser output; adjust field names to match your ingestion format if needed.
Data Sources
Required Tables
False Positives & Tuning
- Contracted MSP helpdesk technicians whose Microsoft accounts include 'helpdesk' or 'itsupport' in the UPN legitimately using Teams federation to deliver IT support to internal employees
- Employees completing OAuth consent flows for IT-approved cloud storage integrations (Dropbox, Box) that have not yet been pre-consented at the admin tenant level, appearing as user-level consent events
- Frequent travelers or remote workers whose sign-in locations cause Azure ID Protection to elevate risk scores to medium for guest-federated or B2B accounts during normal business activity
Other platforms for T1585.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate External Teams Account IT Impersonation Contact
Expected signal: OfficeActivity (M365 Audit Log) with RecordType=MicrosoftTeams, Operation=MessageSent, UserId containing the external account UPN with helpdesk/IT support keywords, CommunicationType=OneOnOne. In KQL: OfficeActivity | where RecordType=='MicrosoftTeams' | where UserId contains 'helpdesk'.
- Test 2OAuth Grant to Unauthorized Cloud Storage Application
Expected signal: AuditLogs table: OperationName='Consent to application', TargetResources[0].displayName matching the cloud storage app name, InitiatedBy.user.userPrincipalName showing the consenting user, InitiatedBy.user.ipAddress for geo-correlation. Event visible in Azure AD audit logs within 15 minutes.
- Test 3Simulate Outbound Data Transfer to Cloud Storage Following Adversary Account Contact
Expected signal: DeviceNetworkEvents: RemoteUrl matching 's3.amazonaws.com' or 'content.dropboxapi.com', InitiatingProcessFileName='aws.exe' or 'curl.exe', SentBytes > 10485760 (10MB). Sysmon Event ID 3 (Network Connection) to destination IPs resolving to cloud storage infrastructure. DNS resolution events (Sysmon Event ID 22) for cloud storage hostnames.
- Test 4Guest Account Invitation Burst Simulation
Expected signal: AuditLogs: OperationName='Invite external user', 6 events within a 1-hour window from the same InvitingUser and SourceIP. Each event contains TargetResources[0].userPrincipalName with '#EXT#' suffix. InviteCount summary exceeds threshold of 5 per hour. Events appear in Azure AD audit logs within 15 minutes.
References (10)
- https://attack.mitre.org/techniques/T1585/003/
- https://attack.mitre.org/groups/G1046/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/microsoftteams/manage-external-access
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.003/T1585.003.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
Unlock Pro Content
Get the full detection package for T1585.003 including response playbook, investigation guide, and atomic red team tests.