Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1585.003: Cloud Accounts

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.[1]

Creating Cloud Accounts may also require adversaries to establish Email Accounts to register with the cloud provider.

EnterpriseT1585.003Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Cloud Accounts is a pre-compromise resource development technique: adversaries may create accounts with cloud providers to support later targeting, hosting, storage, tooling, or infrastructure needs. The business issue is that activity can look like normal use of trusted cloud services, so risk is often decided by whether the organization can distinguish legitimate business cloud usage from suspicious cloud-hosted delivery, storage, or command-and-control patterns when they touch the enterprise environment.

Executive priority

Prioritize this as a readiness and visibility problem rather than a single control problem. Leaders should ask whether security teams have evidence for cloud-service interactions across email, web, endpoint, and network paths, and whether IR playbooks account for adversary-owned cloud accounts used for exfiltration, tool staging, or infrastructure acquisition. This also supports audit and compliance discussions around acceptable cloud use, monitoring of sanctioned versus unsanctioned services, and pre-compromise risk reduction under M1056 Pre-compromise.

Technical view

ATT&CK places this sub-technique under T1585 Establish Accounts in the Resource Development tactic on the PRE platform. MITRE provides no official detection text, but the relationship to DET0846 indicates a detection strategy exists for Detection of Cloud Accounts. SOC and detection teams should validate whether they can observe interactions with cloud storage and cloud-hosted infrastructure such as Dropbox, MEGA, Microsoft OneDrive, AWS S3 buckets, virtual private servers, and serverless infrastructure when those interactions occur from enterprise assets or identities. IR teams should treat cloud-hosted links, staged tools, and unexpected cloud storage destinations as context to preserve during phishing, exfiltration, and malware investigations.

Likely telemetry

  • Web proxy, secure web gateway, or firewall logs showing access to public cloud storage and cloud-hosted infrastructure
  • DNS logs for cloud storage, object storage, VPS, and serverless service domains contacted by enterprise systems
  • Email security logs for messages containing cloud-hosted file links or references to cloud services
  • Endpoint telemetry showing downloads, uploads, or execution of tools obtained from cloud-hosted locations
  • Cloud access logs from organization-managed tenants to distinguish sanctioned usage from unexpected external cloud destinations

Detection direction

  • Baseline normal business use of major cloud storage and infrastructure providers before treating cloud-provider traffic as suspicious, because these services are common and false positives can be high.
  • Correlate cloud-hosted links or storage access with phishing reports, new process execution, unusual download behavior, or potential exfiltration paths rather than relying on domain reputation alone.
  • Validate coverage for both sanctioned and unsanctioned cloud services; a common blind spot is monitoring only the organization’s managed cloud tenant while missing access to adversary-controlled external accounts.
  • Use relationship context carefully: the technique is associated in ATT&CK with campaigns and a group, but that does not by itself establish local exposure or active targeting.
  • Review DET0846 content, if available in the local ATT&CK-derived knowledge base, for specific analytic logic because the supplied ATT&CK object does not include official detection details.

Mitigation priorities

  • Apply M1056 Pre-compromise thinking: reduce exposed information and opportunities that make adversary preparation easier, and improve the ability to identify preparation activity that intersects the organization.
  • Define and enforce acceptable use for cloud storage and cloud infrastructure services, including how exceptions are approved and monitored.
  • Improve visibility at email, web, DNS, endpoint, and managed-cloud control points before adding complex analytics; detection depends on seeing the interaction with adversary-controlled cloud resources.
  • Prepare IR procedures for cloud-hosted artifacts, including preserving URLs, account indicators, file metadata, access logs, and related endpoint evidence.
  • Use threat intelligence and security consulting reviews to map which cloud services are business-critical, which are tolerated, and which should trigger investigation when observed.
Analyst notes and limits

This object is most valuable for planning detection and response around adversary infrastructure that blends into legitimate cloud usage. The supplied relationships show it as a sub-technique of Establish Accounts, mitigated by M1056 Pre-compromise, detected by DET0846, and used by listed ATT&CK campaigns/groups. Those relationships provide context but should not be interpreted as proof of current activity against any specific organization.

MITRE provides no official detection text for this object, and the supplied mitigation description is general and truncated. The technique is pre-compromise, so defenders usually observe it only when adversary-owned cloud accounts interact with enterprise users, devices, identities, or data. Local telemetry, business-approved cloud usage, and policy context are required to make detections reliable.

Official MITRE ATT&CK definition

Cloud Accounts

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.[1]

Creating Cloud Accounts may also require adversaries to establish Email Accounts to register with the cloud provider.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1585 Establish Accounts This object subtechnique of Establish Accounts.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1046: Storm-1811

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1056: Pre-compromise Enterprise uses · Group G1046: Storm-1811 Enterprise uses · Campaign C0060: Operation AkaiRyū Enterprise subtechnique of · Technique T1585: Establish Accounts Enterprise detects · Detection Strategy DET0846: Detection of Cloud Accounts Enterprise uses · Campaign C0042: Outer Space Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
b81af525991d2f8a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle b81af525991d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Awake Security C2 Cloud

    Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.

    Open source URL
  2. [2]
    mitre-attack T1585.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use