| ID | Name |
|---|---|
| T1585.001 | Social Media Accounts |
| T1585.002 | Email Accounts |
| T1585.003 | Cloud Accounts |
Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.[1]
Creating Cloud Accounts may also require adversaries to establish Email Accounts to register with the cloud provider.
| ID | Name | Description |
|---|---|---|
| C0042 | Outer Space |
During Outer Space, OilRig created M365 email accounts to be used as part of C2.[2] |
| G1046 | Storm-1811 |
Storm-1811 has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various IT support and helpdesk themes.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during exfiltration (ex: Transfer Data to Cloud Account).