title: Cloud Accounts (T1585.003)
id: df00tech-t1585-003
status: experimental
description: "Adversaries may create accounts with cloud providers to support operations, including leveraging cloud storage (Dropbox, MEGA, OneDrive, AWS S3) for exfiltration or tool hosting, and using cloud infrastructure for C2. Cloud accounts may be created to impersonate legitimate services — Storm-1811 is documented creating Microsoft Teams accounts spoofing IT helpdesk personas to conduct vishing attacks. Detection must focus on observable usage of adversary-controlled cloud accounts within the victim environment, since the account creation itself occurs externally."
references:
  - https://attack.mitre.org/techniques/T1585/003/
  - https://df00tech.com/detections/T1585.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1585.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate third-party IT support vendors or MSPs contacting employees via Teams with support-themed display names
  - "Employees voluntarily consenting to approved cloud storage integrations (Dropbox for Business, Box enterprise) for productivity purposes"
  - Guest contractors or partners signing in from international locations for legitimate business collaboration
  - Security awareness training vendors simulating vishing via Teams with IT impersonation personas
level: high