T1586.003: Cloud Accounts
Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or Phishing.[1][2] Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.[3]
A variety of methods exist for compromising cloud accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, conducting Password Spraying attacks, or attempting to Steal Application Access Tokens.[4] Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a Trusted Relationship between service providers and their customers.[4]
Analyst context for executives and security teams
Cloud Accounts describes adversaries compromising existing cloud service accounts before or during targeting so they can use trusted, legitimate services for later operations. For leaders, the issue is not just account theft; it is that compromised cloud identities can provide ready-made infrastructure for storage, messaging, phishing, tool hosting, or acquiring cloud compute without the adversary managing their own servers.
Executive priority
Prioritize this as an early-stage resource-development risk that can affect cloud governance, identity assurance, third-party/service-provider trust, and incident response readiness. Executives should ask whether the organization can detect misuse of cloud accounts it owns or administers, whether privileged service-provider relationships are tightly controlled, and whether audit evidence exists for account hardening, delegated access review, and cloud activity monitoring.
Technical view
This is a PRE-platform, Resource Development sub-technique under Compromise Accounts. ATT&CK does not provide official detection text, but the relationship to DET0879 indicates a detection strategy exists for cloud accounts. SOC and detection teams should validate visibility into cloud identity activity, cloud storage use, cloud messaging services, delegated administrative privileges, application access tokens, and creation or acquisition of cloud infrastructure. IR teams should be prepared to determine whether a cloud account was used for exfiltration to cloud storage, tool upload, phishing, spam, or infrastructure acquisition, as described in the ATT&CK object.
Likely telemetry
- Cloud identity sign-in and authentication logs
- Cloud account privilege and delegated administration change logs
- Application access token creation, consent, and use records
- Cloud storage access and object activity logs
- Cloud messaging service activity such as email/SMS/API send patterns
Detection direction
- Because ATT&CK provides no official detection text for this technique, first confirm which cloud account and identity telemetry is actually collected and retained.
- Tune for suspicious use of legitimate cloud services rather than only malicious infrastructure indicators; compromised accounts may appear trusted by default.
- Review abnormal account use such as unusual storage access, messaging volume, infrastructure provisioning, token activity, or delegated administrative access changes.
- Correlate with related behaviors named by ATT&CK, including phishing for information, password spraying, stolen application access tokens, trusted relationships, exfiltration to cloud storage, and upload tool activity.
- Treat service-provider and privileged delegated accounts as high-value detection subjects because ATT&CK notes adversaries may target them to leverage trusted relationships.
Mitigation priorities
- Apply pre-compromise controls consistent with M1056: reduce exposed account information, harden identity configurations, and increase the difficulty of credential or token compromise.
- Prioritize strong authentication, least privilege, and routine review of privileged and delegated cloud access, especially for service-provider relationships.
- Review application access token governance and remove unnecessary grants or stale access paths.
- Monitor and govern use of cloud storage, messaging, serverless, VPS, and related services that could be repurposed for adversary operations.
- Ensure IR playbooks include cloud account containment, token revocation, access review, and evidence preservation steps.
Analyst notes and limits
The relationship context links this technique to APT41 DUST, APT29, and APT-C-36, but that should be used as threat-intelligence context only and not as proof of current activity in any environment. The practical defensive value is validating cloud identity and service telemetry before an incident, because the behavior occurs in resource development and may precede more visible intrusion activity.
The supplied ATT&CK object has no official detection guidance and lists platform as PRE, so environment-specific detection logic, supported cloud services, and log sources must be determined locally. This take is limited to the provided ATT&CK fields, references, and relationships and does not assert active exploitation or guaranteed detection coverage.
Cloud Accounts
Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or Phishing.[1][2] Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.[3]
A variety of methods exist for compromising cloud accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, conducting Password Spraying attacks, or attempting to Steal Application Access Tokens.[4] Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a Trusted Relationship between service providers and their customers.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1586 | Compromise Accounts | This object subtechnique of Compromise Accounts. |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
C0040: APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e74ebc28de82… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.
Open source URL -
[2]
Netcraft SendGrid 2024
Graham Edgecombe. (2024, February 7). Phishception – SendGrid is abused to host phishing attacks impersonating itself. Retrieved October 15, 2024.
Open source URL -
[3]
Awake Security C2 Cloud
Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.
Open source URL -
[4]
MSTIC Nobelium Oct 2021
Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
Open source URL -
[5]
mitre-attack T1586.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.