T1586.003

Cloud Accounts

Adversaries may compromise cloud accounts to use during targeting operations. Compromised cloud accounts (Azure, AWS, GCP, Dropbox, OneDrive, GitHub) allow adversaries to leverage trusted third-party infrastructure for command and control, exfiltration to cloud storage, sending phishing or spam via cloud messaging services (AWS SES/SNS, SendGrid, Twilio), and acquiring additional cloud infrastructure without managing their own servers. Compromise methods include phishing for cloud credentials, password spraying, purchasing leaked credential sets from criminal markets, or stealing OAuth access tokens. APT29 has been observed using compromised Azure Virtual Machine accounts with residential proxies to obfuscate access to victim environments. This is a PRE-ATT&CK technique — the initial account compromise occurs outside the victim environment on third-party cloud platforms. Detection pivots to observable downstream effects: anomalous authentication events in cloud identity provider logs, risk signals from Identity Protection engines, MFA bypass indicators, and post-compromise behaviors such as bulk cloud storage access or cloud messaging API abuse.

Microsoft Sentinel / Defender

kusto

// T1586.003 — Compromised Cloud Account Usage Detection
// Detects compromised cloud accounts via Azure AD Identity Protection risk events,
// confirmed compromise states, impossible travel, and cross-tenant MFA bypass patterns
let SuspiciousRiskEventTypes = dynamic([
    "impossibleTravel", "anonymizedIPAddress", "maliciousIPAddress",
    "unfamiliarFeatures", "passwordSpray", "leakedCredentials",
    "nationStateIP", "riskyIPAddress", "investigationsThreatIntelligence"
]);
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| extend CountryCode = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| extend ParsedBrowser = tostring(DeviceDetail.browser)
| extend ParsedOS = tostring(DeviceDetail.operatingSystem)
| extend IsHighRiskSignIn = RiskLevelDuringSignIn in ("high", "medium")
| extend IsCompromisedState = RiskState in ("atRisk", "confirmedCompromised")
| extend HasSuspiciousRiskEvent = RiskEventTypes_V2 has_any (SuspiciousRiskEventTypes)
| extend IsCrossTenantMFABypass = AuthenticationRequirement == "singleFactorAuthentication"
    and isnotempty(HomeTenantId)
    and HomeTenantId != ResourceTenantId
| where IsHighRiskSignIn or IsCompromisedState or HasSuspiciousRiskEvent or IsCrossTenantMFABypass
| extend AlertReason = case(
    IsCompromisedState, "ConfirmedCompromise",
    IsHighRiskSignIn and HasSuspiciousRiskEvent, strcat("HighRisk+Event:", tostring(RiskEventTypes_V2)),
    IsHighRiskSignIn, "HighRiskSignIn",
    HasSuspiciousRiskEvent, strcat("RiskEvent:", tostring(RiskEventTypes_V2)),
    IsCrossTenantMFABypass, "CrossTenantMFABypass",
    "UnknownRisk"
)
| extend RiskIndicatorCount = toint(IsHighRiskSignIn) + toint(IsCompromisedState)
    + toint(HasSuspiciousRiskEvent) + toint(IsCrossTenantMFABypass)
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress,
          CountryCode, City, ParsedBrowser, ParsedOS,
          RiskLevelDuringSignIn, RiskLevelAggregated, RiskState,
          RiskEventTypes_V2, ConditionalAccessStatus, AuthenticationRequirement,
          HomeTenantId, ResourceTenantId,
          AlertReason, RiskIndicatorCount
| sort by RiskIndicatorCount desc, TimeGenerated desc

high severity medium confidence

Data Sources

Application Log: Application Log Content User Account: User Account Authentication Azure Active Directory Sign-In Logs Microsoft Identity Protection

Required Tables

SigninLogs

False Positives

Legitimate business travel — users authenticating from new geographic regions trigger impossibleTravel and unfamiliarFeatures risk events; correlate against HR travel records or user-submitted travel notifications
Corporate VPN or proxy services routing authentication traffic through anonymizing or geographically unexpected IP ranges, triggering anonymizedIPAddress or unfamiliarFeatures events
Automated service accounts and CI/CD pipelines authenticating from cloud-hosted build agents (GitHub Actions, Azure DevOps) with IP ranges that Identity Protection classifies as anomalous or associated with hosting providers
Cross-tenant guest access patterns for legitimate B2B collaboration where users regularly authenticate to partner tenant resources using single-factor authentication under legacy conditional access policies

Splunk

spl

index=azure sourcetype="azure:aad:signin" resultType=0
| eval user=userPrincipalName
| eval src_ip=ipAddress
| eval app=appDisplayName
| eval risk_level=lower(coalesce(riskLevelDuringSignIn, ""))
| eval risk_state=lower(coalesce(riskState, ""))
| eval risk_events=lower(coalesce(riskEventTypes_v2, ""))
| eval country=spath(_raw, "location.countryOrRegion")
| eval city=spath(_raw, "location.city")
| eval auth_req=lower(coalesce(authenticationRequirement, ""))
| eval ca_status=lower(coalesce(conditionalAccessStatus, ""))
| eval home_tenant=coalesce(homeTenantId, "")
| eval resource_tenant=coalesce(resourceTenantId, "")
| eval is_high_risk=if(
    risk_level IN ("high", "medium") OR risk_state IN ("atrisk", "confirmedcompromised"),
    1, 0)
| eval has_risky_event=if(
    match(risk_events, "(impossibletravel|anonymizedipaddress|maliciousipaddress|unfamiliarfeatures|passwordspray|leakedcredentials|nationstateip|riskyipaddress|investigationsthreatintelligence)"),
    1, 0)
| eval cross_tenant_mfa_bypass=if(
    auth_req="singlefactorauthentication" AND
    home_tenant!="" AND home_tenant!=resource_tenant,
    1, 0)
| where is_high_risk=1 OR has_risky_event=1 OR cross_tenant_mfa_bypass=1
| eval threat_indicators=mvappend(
    if(is_high_risk=1, "HighRiskSignIn", null()),
    if(has_risky_event=1, "RiskyEvent:".risk_events, null()),
    if(cross_tenant_mfa_bypass=1, "CrossTenantMFABypass", null())
)
| eval threat_score=is_high_risk + has_risky_event + cross_tenant_mfa_bypass
| table _time, user, src_ip, app, country, city, risk_level, risk_state, risk_events, cross_tenant_mfa_bypass, threat_score, threat_indicators
| sort - threat_score, - _time

high severity medium confidence

Data Sources

Application Log: Application Log Content User Account: User Account Authentication Azure AD Sign-In Logs Splunk Add-on for Microsoft Cloud Services

Required Sourcetypes

azure:aad:signin

False Positives

Business travelers signing in from foreign countries triggering impossibleTravel or unfamiliarFeatures events that populate risk_events field
Corporate VPN or proxy services routing traffic through unexpected geographies or IP ranges flagged as anonymizing services by Identity Protection
Service accounts and automation pipelines authenticating from cloud-hosted infrastructure where Azure Identity Protection flags the hosting provider IP range as anomalous
Legacy B2B federation scenarios where partner tenant users regularly authenticate to home tenant resources with single-factor authentication under grandfathered conditional access exclusions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  "username" AS "User Principal Name",
  sourceip AS "Source IP",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  "riskLevelDuringSignIn" AS "Risk Level",
  "riskState" AS "Risk State",
  "riskEventTypes_v2" AS "Risk Events",
  "authenticationRequirement" AS "Auth Requirement",
  "homeTenantId" AS "Home Tenant",
  "resourceTenantId" AS "Resource Tenant",
  CATEGORYNAME(category) AS "QRadar Category"
FROM events
WHERE LOGSOURCETYPEID = 433
  AND "resultType" = '0'
  AND (
    LOWER("riskLevelDuringSignIn") IN ('high', 'medium')
    OR LOWER("riskState") IN ('atrisk', 'confirmedcompromised')
    OR REGEXP_MATCH(
      LOWER(COALESCE("riskEventTypes_v2", '')),
      '.*(impossibletravel|anonymizedipaddress|maliciousipaddress|unfamiliarfeatures|passwordspray|leakedcredentials|nationstateip|riskyipaddress|investigationsthreatintelligence).*'
    )
    OR (
      LOWER("authenticationRequirement") = 'singlefactorauthentication'
      AND "homeTenantId" IS NOT NULL
      AND "homeTenantId" <> ''
      AND "homeTenantId" <> COALESCE("resourceTenantId", '')
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Azure Active Directory Sign-in Logs via QRadar Azure Active Directory DSM (LOGSOURCETYPEID 433)

Required Tables

events

False Positives

Shared application service accounts or managed identities using delegated permissions that authenticate cross-tenant as singleFactorAuthentication where device-based Conditional Access policies satisfy the MFA requirement transparently
New device registrations or first-time browser sign-ins for legitimate users during onboarding generating unfamiliarFeatures risk events in bulk during provisioning waves
QRadar DSM field mapping drift after Azure schema updates causing riskEventTypes_v2 to arrive under a different property name and producing missed detections or false matches on legacy field values

Sumo Logic CSE

sql

_sourceCategory=Azure/SignInLogs
| json field=_raw "resultType" as result_type
| json field=_raw "userPrincipalName" as user
| json field=_raw "ipAddress" as src_ip
| json field=_raw "appDisplayName" as app
| json field=_raw "riskLevelDuringSignIn" as risk_level
| json field=_raw "riskState" as risk_state
| json field=_raw "riskEventTypes_v2" as risk_events
| json field=_raw "authenticationRequirement" as auth_req
| json field=_raw "homeTenantId" as home_tenant
| json field=_raw "resourceTenantId" as resource_tenant
| json field=_raw "location.countryOrRegion" as country
| where result_type = "0"
| toLowerCase(risk_level) as risk_level_lc
| toLowerCase(risk_state) as risk_state_lc
| toLowerCase(risk_events) as risk_events_lc
| toLowerCase(auth_req) as auth_req_lc
| where (
    risk_level_lc in ("high", "medium")
    OR risk_state_lc in ("atrisk", "confirmedcompromised")
    OR risk_events_lc matches "*impossibletravel*"
    OR risk_events_lc matches "*anonymizedipaddress*"
    OR risk_events_lc matches "*maliciousipaddress*"
    OR risk_events_lc matches "*unfamiliarfeatures*"
    OR risk_events_lc matches "*passwordspray*"
    OR risk_events_lc matches "*leakedcredentials*"
    OR risk_events_lc matches "*nationstateip*"
    OR risk_events_lc matches "*riskyipaddress*"
    OR risk_events_lc matches "*investigationsthreatintelligence*"
    OR (
      auth_req_lc = "singlefactorauthentication"
      AND !isNull(home_tenant)
      AND !isBlank(home_tenant)
      AND home_tenant != resource_tenant
    )
  )
| eval threat_score = if(risk_level_lc in ("high","medium"), 1, 0)
    + if(risk_state_lc in ("atrisk","confirmedcompromised"), 1, 0)
    + if(auth_req_lc = "singlefactorauthentication" AND !isNull(home_tenant) AND !isBlank(home_tenant) AND home_tenant != resource_tenant, 1, 0)
| fields _messageTime, user, src_ip, app, country, risk_level, risk_state, risk_events, auth_req, home_tenant, resource_tenant, threat_score
| sort by threat_score desc, _messageTime desc

high severity high confidence

Data Sources

Azure Active Directory Sign-in Logs via Sumo Logic Azure Event Hub Collector

Required Tables

_sourceCategory=Azure/SignInLogs

False Positives

Legitimate remote workers on residential ISPs or consumer VPN products (NordVPN, ExpressVPN) triggering anonymizedIPAddress or riskyIPAddress signals where personal VPN use is permitted by policy
B2B collaboration flows where guest users from partner organisations have MFA enforced in their home tenant and the resource tenant legitimately observes singleFactorAuthentication as the home-tenant MFA claim is trusted
Security red team engagements or authorised penetration tests deliberately exercising Azure Identity Protection detections against sandbox or production accounts during scoped testing windows

Google Chronicle / SecOps

yaral

rule t1586_003_compromised_cloud_account_usage {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects compromised Azure cloud account usage via Identity Protection risk signals: high/medium risk sign-ins, confirmed compromise states, risky event categories (impossible travel, leaked credentials, password spray, anonymized IP, nation-state IP), and cross-tenant MFA bypass patterns in Azure AD sign-in logs."
    mitre_attack_technique = "T1586.003"
    mitre_attack_tactic = "Resource Development"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"
    platform = "Azure Active Directory"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.metadata.product_name = "Azure Active Directory"
    $e.security_result.action = "ALLOW"
    (
      $e.security_result.severity = "HIGH" or
      $e.security_result.severity = "MEDIUM" or
      re.regex(
        $e.security_result.category_details,
        `(?i)(impossibleTravel|anonymizedIPAddress|maliciousIPAddress|unfamiliarFeatures|passwordSpray|leakedCredentials|nationStateIP|riskyIPAddress|investigationsThreatIntelligence|confirmedCompromised|atRisk)`
      ) or
      (
        $e.network.http.user_agent = "" and
        re.regex($e.security_result.action_details, `(?i)singleFactor`) and
        $e.principal.resource.attribute.labels["homeTenantId"] != $e.target.resource.attribute.labels["resourceTenantId"]
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Azure Active Directory Sign-in Logs via Chronicle Azure AD Ingestion Parser (UDM log type: AZURE_AD)

Required Tables

azure_ad

False Positives

High-profile executives or board members with persistent MEDIUM severity risk profiles due to frequent travel to multiple countries, causing continuous rule triggering that should be managed via allowlist or risk score tuning in Azure Identity Protection
Newly provisioned accounts authenticating for the first time from corporate-issued devices triggering unfamiliarFeatures as HIGH severity before the Identity Protection engine has established a behavioural baseline for the account
Chronicle parser version mismatches following Microsoft schema changes to the sign-in log format where risk_level fields are temporarily unmapped and default to empty strings, causing missed detections until the parser is updated

CrowdStrike LogScale (CQL)

cql

// T1586.003 — Compromised Cloud Account Usage
// Requires Azure AD sign-in logs ingested into CrowdStrike LogScale via Azure Event Hub integration
event_source="AzureActiveDirectory" event_type="SignIn" result_type="0"
| risk_level := lower(riskLevelDuringSignIn)
| risk_state := lower(riskState)
| risk_events := lower(riskEventTypes_v2)
| auth_req := lower(authenticationRequirement)
| is_high_risk := if(
    in(field=risk_level, values=["high", "medium"]) or
    in(field=risk_state, values=["atrisk", "confirmedcompromised"]),
    "true", "false")
| has_risky_event := if(
    regex(
      "(impossibletravel|anonymizedipaddress|maliciousipaddress|unfamiliarfeatures|passwordspray|leakedcredentials|nationstateip|riskyipaddress|investigationsthreatintelligence)",
      field=risk_events
    ),
    "true", "false")
| cross_tenant_mfa := if(
    auth_req = "singlefactorauthentication" and
    isNotNull(homeTenantId) and
    homeTenantId != "" and
    homeTenantId != resourceTenantId,
    "true", "false")
| is_high_risk = "true" or has_risky_event = "true" or cross_tenant_mfa = "true"
| threat_score := (if(is_high_risk = "true", 1, 0) + if(has_risky_event = "true", 1, 0) + if(cross_tenant_mfa = "true", 1, 0))
| table(
    [timestamp, userPrincipalName, ipAddress, appDisplayName,
     riskLevelDuringSignIn, riskState, riskEventTypes_v2,
     authenticationRequirement, homeTenantId, resourceTenantId,
     is_high_risk, has_risky_event, cross_tenant_mfa, threat_score],
    limit=1000
  )
| sort(threat_score, order=desc)

high severity medium confidence

Data Sources

Azure Active Directory Sign-in Logs via CrowdStrike LogScale Azure Event Hub Integration

Required Tables

AzureActiveDirectory SignIn events (event_source=AzureActiveDirectory)

False Positives

Cloud-native CI/CD automation pipelines (GitHub Actions, Azure DevOps) using service principals for cross-tenant deployments that authenticate with singleFactorAuthentication because device compliance satisfies the Conditional Access requirement without triggering a second factor at the resource tenant
Corporate outbound proxy infrastructure with egress through anonymisation or privacy-enhancing proxy tiers causing all user sign-ins to appear as anonymizedIPAddress regardless of the actual user location or legitimacy
LogScale Azure integration field name drift following Microsoft Graph API or Azure Monitor schema versioning updates, where riskEventTypes_v2 changes format (e.g. from comma-delimited string to JSON array), causing regex matches to fail silently until the field extraction is corrected

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1586.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Cloud Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections