Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1496.004: Cloud Service Hijacking

Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.

For example, adversaries may leverage email and messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio, in order to send large quantities of spam / Phishing emails and SMS messages.[1][2][3] Alternatively, they may engage in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted AI models.[4][5]

In some cases, adversaries may leverage services that the victim is already using. In others, particularly when the service is part of a larger cloud platform, they may first enable the service.[4] Leveraging SaaS applications may cause the victim to incur significant financial costs, use up service quotas, and otherwise impact availability.

EnterpriseT1496.004Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Cloud Service Hijacking is a SaaS impact technique where an adversary abuses compromised cloud-based services to consume resources, quotas, or spending capacity. For leaders, the issue is not only account compromise; it is the downstream business effect: unexpected cloud or SaaS charges, exhausted messaging or AI quotas, degraded service availability, and reputational exposure if abused services send spam, phishing, email, SMS, or similar traffic.

Executive priority

Prioritize this where the organization uses SaaS capabilities that can rapidly generate cost or volume, such as email, messaging, notification, SMS, or cloud-hosted AI services. Executives should ask whether finance, cloud, identity, and SOC teams can jointly detect abnormal service enablement, quota consumption, and spending before availability or cost impacts escalate. This behavior also matters for audit and incident readiness because evidence may live across SaaS logs, cloud activity records, billing data, and identity events rather than traditional endpoint telemetry.

Technical view

ATT&CK lists this as an Impact sub-technique for SaaS platforms under Resource Hijacking. The official detection field is not provided, but relationship context states DET0147 detects this object. SOC and detection teams should validate whether they collect the activity needed to recognize abnormal SaaS abuse: sudden increases in email/SMS/notification sending, unexpected use of AI model services, service enablement in a larger cloud platform, quota exhaustion, billing anomalies, and identity activity tied to the accounts or credentials invoking those services. IR teams should be prepared to determine whether the adversary abused an already-used SaaS service or first enabled a service before use.

Likely telemetry

  • SaaS application audit logs for service use, configuration changes, and administrative actions
  • Cloud platform activity logs showing service enablement or API use where SaaS is part of a larger cloud platform
  • Identity and access logs for the accounts, tokens, or credentials invoking the service
  • Usage, quota, and rate-limit data for email, messaging, notification, SMS, and cloud-hosted AI services
  • Billing, cost-management, and spend-anomaly records

Detection direction

  • Validate DET0147 or equivalent logic against the organization’s SaaS services and cloud platforms rather than assuming generic endpoint coverage will observe this behavior.
  • Tune for abnormal volume, quota consumption, service enablement, or spending patterns relative to normal business use.
  • Correlate SaaS usage spikes with identity events, credential use, and administrative changes to distinguish legitimate campaigns or product workloads from hijacking.
  • Include services already in use and services that could be newly enabled, since the ATT&CK description supports both patterns.
  • Account for false positives from planned marketing campaigns, customer notifications, load tests, or legitimate AI workloads by integrating business context and change records.

Mitigation priorities

  • Inventory SaaS services capable of high-volume sending, notification, SMS, AI, or other resource-intensive activity.
  • Restrict who can enable or administer these services and review permissions for accounts, tokens, and integrations that can generate high-cost usage.
  • Set practical quotas, rate limits, budgets, alerts, and approval workflows where supported by the SaaS or cloud platform.
  • Ensure incident response playbooks include containment of abused SaaS credentials, review of service configuration, quota/billing impact assessment, and communication with service owners.
  • Use billing and usage monitoring as a security signal, not only a finance control.
Analyst notes and limits

This object is a SaaS-focused sub-technique of Resource Hijacking and is mapped to the Impact tactic. The supplied examples include abuse of email, notification, SMS, and cloud-hosted AI model services, including cases where a service may be newly enabled before abuse. The relationship to DET0147 is useful for detection engineering triage, but local control validation is still required.

MITRE does not provide an official detection paragraph for this object in the supplied fields. No specific mitigations, procedures, or platform details beyond SaaS are supplied. This take therefore avoids claiming active exploitation, attribution, guaranteed detection, or coverage for any specific provider environment.

Official MITRE ATT&CK definition

Cloud Service Hijacking

Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.

For example, adversaries may leverage email and messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio, in order to send large quantities of spam / Phishing emails and SMS messages.[1][2][3] Alternatively, they may engage in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted AI models.[4][5]

In some cases, adversaries may leverage services that the victim is already using. In others, particularly when the service is part of a larger cloud platform, they may first enable the service.[4] Leveraging SaaS applications may cause the victim to incur significant financial costs, use up service quotas, and otherwise impact availability.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1496 Resource Hijacking This object subtechnique of Resource Hijacking.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1496: Resource Hijacking Enterprise detects · Detection Strategy DET0147: Detection Strategy for Cloud Service Hijacking via SaaS Abuse Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c200821b03f79168...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c200821b03f7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Invictus IR DangerDev 2024

    Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.

    Open source URL
  2. [2]
    Permiso SES Abuse 2023

    Nathan Eades. (2023, January 12). SES-pionage. Retrieved September 25, 2024.

    Open source URL
  3. [3]
    SentinelLabs SNS Sender 2024

    Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.

    Open source URL
  4. [4]
    Sysdig LLMJacking 2024

    LLMjacking: Stolen Cloud Credentials Used in New AI Attack. (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.

    Open source URL
  5. [5]
    Lacework LLMJacking 2024

    Lacework Labs. (2024, June 6). Detecting AI resource-hijacking with Composite Alerts. Retrieved September 25, 2024.

    Open source URL
  6. [6]
    mitre-attack T1496.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use