DET0846: Detection of Cloud Accounts

DET0846 is a MITRE detection strategy for identifying adversary-created cloud accounts associated with ATT&CK technique T1585.003, Cloud Accounts. Its busi...

EnterpriseDET0846Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0846 is a MITRE detection strategy for identifying adversary-created cloud accounts associated with ATT&CK technique T1585.003, Cloud Accounts. Its business significance is that this behavior happens before or around targeting: an adversary may use legitimate cloud providers or cloud storage services to stage tools, support infrastructure, or enable later exfiltration. For leaders, the key issue is not a single alert type; it is whether the organization can recognize suspicious use of trusted cloud services when the account is outside its administrative control.

Executive priority

Treat this as a resilience and visibility question for cloud/SaaS risk, incident response, and SOC readiness. Because the ATT&CK object has no official detection text or platform scope, executives should ask whether teams can distinguish approved business use of cloud storage and cloud-hosted infrastructure from suspicious external resources used in targeting. This supports budget and control decisions around egress visibility, threat intelligence enrichment, cloud service governance, and IR playbooks for cloud-hosted adversary infrastructure.

Technical view

This detection strategy maps to T1585.003 under resource development and the PRE platform context. The related technique describes adversaries creating cloud provider accounts for operations, including use of services such as Dropbox, MEGA, Microsoft OneDrive, and AWS S3 buckets for exfiltration to cloud storage or tool upload. SOC and detection engineering teams should validate whether they can observe interactions with external cloud storage and cloud-hosted resources, enrich those observations with reputation/context, and pivot during investigations from observed URLs, buckets, tenants, domains, or account-linked artifacts to related infrastructure. Because the official ATT&CK detection field is not provided, local detection logic must be derived from the organization’s environment and acceptable-use baseline.

Likely telemetry

Proxy, secure web gateway, or network egress logs showing access to cloud storage and cloud-hosted resources
DNS and URL telemetry for cloud service domains, object storage paths, and externally hosted resources
Cloud access security, SaaS, or cloud governance logs where available for sanctioned cloud service usage
Endpoint or server telemetry showing downloads/uploads involving cloud storage services
Incident response artifacts containing cloud-hosted URLs, buckets, shared links, or provider account references

Detection direction

Start by inventorying which logs can show user, host, destination, URL/path, volume, and timing for cloud storage and cloud-hosted infrastructure access.
Baseline sanctioned cloud service usage so detections do not treat all Dropbox, MEGA, OneDrive, or S3 activity as malicious by default.
Tune for investigation value: unusual cloud storage destinations, unexpected object storage access, suspicious upload/download patterns, or cloud-hosted resources associated with other case evidence.
Expect blind spots where adversary cloud accounts are outside the organization’s tenant; provider-side account creation records will usually not be available to the defender.
Correlate cloud-resource indicators with related behaviors such as tool staging or exfiltration rather than relying on the existence of a cloud account alone.

Mitigation priorities

Define and enforce policy for approved cloud storage and cloud-hosted collaboration services.
Prioritize egress visibility and logging that preserves enough detail for IR pivots, including destination, URL, user, device, and transfer context where available.
Use allowlists, risk-based controls, or review workflows for unsanctioned cloud storage and object storage access where business operations permit.
Integrate threat intelligence enrichment into SOC workflows for cloud-hosted URLs, buckets, and shared links seen in alerts or investigations.
Ensure incident response playbooks include procedures for collecting cloud-service access evidence and handling suspected tool staging or exfiltration via external cloud accounts.

Analyst notes and limits

This ATT&CK object is a detection strategy, not a technique, and it detects T1585.003 Cloud Accounts. The supplied object has no official description, no official detection guidance, no tactics, and no platforms of its own. The practical guidance above is therefore derived from the stated relationship to Cloud Accounts and the related technique description mentioning cloud storage services and cloud provider accounts.

Coverage cannot be asserted from the ATT&CK fields provided. The object does not specify detection analytics, data sources, platforms, mitigations, or procedure examples. Local environment evidence is required to determine whether relevant cloud, network, SaaS, endpoint, and threat intelligence telemetry exists and is usable.

Official MITRE ATT&CK definition

Detection of Cloud Accounts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1585.003	Cloud Accounts Sub-technique	This object detects Cloud Accounts.

Relationship explorer

All related ATT&CK context

detects · Technique T1585.003: Cloud Accounts Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: bec79a663ebcd099...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`bec79a663ebc…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0846
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use