T1021.007: Cloud Services
Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., Cloud API), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.
In some cases, adversaries may be able to authenticate to these services via Application Access Token instead of a username and password.
Analyst context for executives and security teams
Cloud Services (T1021.007) matters because a compromised enterprise identity can become a bridge from on-premises access into cloud control planes, SaaS, Office suites, and identity provider-connected resources. For leaders, the issue is not just “cloud login”; it is whether the organization can distinguish legitimate federated user activity from adversary lateral movement using valid credentials or application access tokens.
Executive priority
Prioritize this where cloud services are tied to centrally managed or federated identities. The business risk is that an attacker with valid account access may reach management functions or cloud-hosted resources without deploying malware. Executives should ask whether privileged cloud roles are tightly managed, MFA is enforced for critical services, and audit evidence exists to show who accessed cloud services, from where, using what identity or token, and what actions followed.
Technical view
This is a lateral movement sub-technique under Remote Services. ATT&CK describes adversaries logging into accessible cloud services using Valid Accounts synchronized with or federated to on-premises identities, including access through web consoles, cloud CLIs, Cloud API activity, and in some cases application access tokens. SOC and IR teams should validate detection around remote cloud logins via valid accounts, using the related detection strategy DET0008, and correlate identity-provider authentication with cloud audit events and subsequent management actions.
Likely telemetry
- Identity provider sign-in and federation authentication logs
- Cloud service console login records
- Cloud API and CLI authentication/activity logs
- SaaS and Office Suite audit logs
- IaaS control plane audit logs
Detection direction
- Validate that remote cloud logins using federated or synchronized accounts are visible across IaaS, Identity Provider, Office Suite, and SaaS platforms.
- Correlate successful cloud authentication with subsequent management actions or access to cloud-hosted resources by the same identity.
- Tune detections for unusual cloud access patterns while accounting for legitimate administrator, automation, and CLI usage.
- Include application access token usage in detection logic; password-focused monitoring alone may miss this path.
- Use ATT&CK relationship context cautiously: C0027, APT29, Scattered Spider, and Storm-0501 are mapped as using this technique, but local telemetry is required to determine relevance or exposure.
Mitigation priorities
- Implement Multi-factor Authentication for critical cloud services and federated identities, consistent with M1032.
- Apply Privileged Account Management: restrict privileged cloud roles, enforce least privilege/RBAC, monitor privileged account usage, and maintain logging and auditing, consistent with M1026.
- Prioritize coverage for accounts with access to cloud control planes, SaaS administration, Office Suite administration, and identity-provider administration.
- Review application access token governance so token-based access is not excluded from account control and audit processes.
Analyst notes and limits
The supplied ATT&CK object has no official detection text, so detection guidance is derived from the behavior description and the related DET0008 detection strategy name. The strongest validation path is end-to-end: identity authentication, cloud login, token use, and cloud management activity tied to the same principal.
This take does not prove active exploitation or coverage in any environment. ATT&CK provides the technique description, platforms, tactics, mitigations, and relationship mappings, but local cloud architecture, logging configuration, identity federation design, and role model determine actual risk and detectability.
Cloud Services
Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., Cloud API), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.
In some cases, adversaries may be able to authenticate to these services via Application Access Token instead of a username and password.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1021 | Remote Services | This object subtechnique of Remote Services. |
Groups, software, and campaigns
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 005b74067c03… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1021.007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.