title: Cloud Accounts (T1586.003)
id: df00tech-t1586-003
status: experimental
description: "Adversaries may compromise cloud accounts to use during targeting operations. Compromised cloud accounts (Azure, AWS, GCP, Dropbox, OneDrive, GitHub) allow adversaries to leverage trusted third-party infrastructure for command and control, exfiltration to cloud storage, sending phishing or spam via cloud messaging services (AWS SES/SNS, SendGrid, Twilio), and acquiring additional cloud infrastructure without managing their own servers. Compromise methods include phishing for cloud credentials, password spraying, purchasing leaked credential sets from criminal markets, or stealing OAuth access tokens. APT29 has been observed using compromised Azure Virtual Machine accounts with residential proxies to obfuscate access to victim environments. This is a PRE-ATT&CK technique — the initial account compromise occurs outside the victim environment on third-party cloud platforms. Detection pivots to observable downstream effects: anomalous authentication events in cloud identity provider logs, risk signals from Identity Protection engines, MFA bypass indicators, and post-compromise behaviors such as bulk cloud storage access or cloud messaging API abuse."
references:
  - https://attack.mitre.org/techniques/T1586/003/
  - https://df00tech.com/detections/T1586.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1586.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate business travel — users authenticating from new geographic regions trigger impossibleTravel and unfamiliarFeatures risk events; correlate against HR travel records or user-submitted travel notifications
  - "Corporate VPN or proxy services routing authentication traffic through anonymizing or geographically unexpected IP ranges, triggering anonymizedIPAddress or unfamiliarFeatures events"
  - "Automated service accounts and CI/CD pipelines authenticating from cloud-hosted build agents (GitHub Actions, Azure DevOps) with IP ranges that Identity Protection classifies as anomalous or associated with hosting providers"
  - Cross-tenant guest access patterns for legitimate B2B collaboration where users regularly authenticate to partner tenant resources using single-factor authentication under legacy conditional access policies
level: high