title: Cloud Accounts (T1078.004)
id: df00tech-t1078-004
status: experimental
description: "Valid cloud accounts may be leveraged by adversaries to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion in cloud environments. Adversaries may obtain cloud credentials through phishing, brute force, credential theft from endpoints, or by compromising on-premises identity infrastructure federated with cloud services. Once in possession of valid credentials, adversaries can authenticate to cloud management planes (Azure, AWS, GCP), SaaS applications (Microsoft 365, Google Workspace), or identity providers (Entra ID, Okta) and operate as legitimate users. Techniques include abusing service principals, managed identities, OAuth tokens, and API keys to maintain persistence and move laterally across cloud resources."
references:
  - https://attack.mitre.org/techniques/T1078/004/
  - https://df00tech.com/detections/T1078.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1078.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate business travelers or remote workers authenticating from foreign countries or new locations for the first time
  - Legacy applications or shared mailbox access that legitimately use basic authentication protocols not yet migrated to modern auth
  - Service principals deployed across multi-region infrastructure may authenticate from multiple IP addresses legitimately
  - Helpdesk or break-glass accounts accessed from admin workstations in unusual locations during incident response
  - VPN or proxy usage causing sign-ins to appear from unexpected geographic locations
level: high