⚠ TA0043 , Resource Development

MITRE ATT&CK T1586.003 Cloud Accounts

Adversaries compromise cloud service accounts across AWS, Azure, GCP, and SaaS platforms to gain persistent access to enterprise infrastructure. This simulation shows how a single stolen credential grants access to multiple cloud services, storage repositories, and communication platforms for data exfiltration and command-and-control operations.

AWS / Azure / GCP Credential Theft Data Exfiltration SaaS Compromise

☁ Cloud Console , Multi-Service Access

⚠ BREACHED

🔒

Azure Active Directory ⚠ Admin session hijacked , token replay attack

🗃

AWS S3 Storage Buckets ⚠ 47 buckets accessible , 2.3TB data exposed

❄

Snowflake Data Warehouse ⏳ Authenticating via stolen session token...

📁

Dropbox Business 🔒 Conditional access blocked , new device

📞

Twilio Communication Platform 🔒 MFA enforced , access denied

🔑

🔒

🔑

🔒

📤 Data Exfiltration in Progress...

🛠 Simulation Legend

Green: Service protected by MFA or conditional access , access denied

Orange: Service under active attack , authentication in progress

Red: Service fully compromised , attacker has active access

Step 1 Steal cloud credential via phishing or token theft

Step 2 Enumerate accessible services and permissions

Step 3 Access storage, databases, messaging platforms

Step 4 Exfiltrate data via cloud-native transfer

Step 5 Establish persistence via service accounts

// Statistics & Impact

Why Compromised Cloud Accounts Matter

Cloud identity compromise has become the dominant attack vector in modern cybersecurity, with the Snowflake breach of 2024 exposing the catastrophic potential of stolen cloud credentials. Every organization that uses cloud services is a potential target, regardless of size or industry.

80%

Of all security incidents in 2025 involved cloud identity compromise as the initial access vector, according to Microsoft and CrowdStrike threat reports.

70%+

Of US-based cyber incidents involved SaaS and Microsoft 365 account compromise, making cloud identity the single largest attack surface in enterprise environments.

165+

Organizations compromised in the 2024 Snowflake breach, including AT&T, Ticketmaster, and Santander, via stolen credentials lacking multi-factor authentication.

MFA was the single control that would have prevented the Snowflake breach entirely. All compromised accounts lacked phishing-resistant authentication enforcement.

The 2024 Snowflake breach orchestrated by UNC5537 demonstrated the devastating impact of cloud account compromise at unprecedented scale, sending shockwaves through the cybersecurity community and fundamentally changing how organizations approach cloud identity security. By obtaining stolen credentials that lacked multi-factor authentication, the threat actor accessed the data warehouses of hundreds of organizations including AT&T (impacting 110 million customer records), Ticketmaster/Live Nation (560 million records), and Santander Bank. The total scope of the breach , affecting 165+ organizations and over 580 million individuals , made it one of the largest data breaches in history and a watershed moment for cloud security. The attackers leveraged Snowflake's own infrastructure to exfiltrate data, making the theft difficult to detect because the data transfer occurred within a trusted cloud environment.

APT29 (Cozy Bear) has been observed using compromised Azure accounts in combination with residential proxy services to blend their traffic with legitimate user activity, making detection extremely challenging for traditional network monitoring tools. APT41 deployed DUST, a custom backdoor that used Google Workspace as a command-and-control channel, demonstrating how compromised cloud accounts can serve as persistent infrastructure for long-term espionage operations. The shift from on-premises infrastructure to cloud services has created a massive new attack surface where a single stolen credential can unlock access to storage, compute, databases, messaging, and identity management platforms across an entire organization's digital estate. Cloud identity has become the new perimeter, and adversaries are exploiting this reality with devastating effectiveness.

The financial impact extends well beyond direct data theft. Organizations affected by cloud account compromise face regulatory fines under GDPR, CCPA, and HIPAA, class-action lawsuits from affected customers, reputational damage that impacts customer trust and revenue, and the enormous cost of incident response, forensic investigation, and mandatory security improvements. The average cost of a cloud-native data breach has risen to $4.88 million in 2024 according to IBM's Cost of a Data Breach Report, with breaches involving compromised credentials taking an average of 292 days to identify and 75 days to contain , nearly 10 months of active adversary access before detection.

+15%

Cloud Incidents Rising

Cloud-based attacks increased 15% year-over-year in 2025, driven by credential theft, token replay attacks, and SaaS misconfiguration exploitation across all major cloud providers.

580M+

Records Exposed (Snowflake)

The UNC5537 Snowflake campaign exposed over 580 million records across 165+ organizations, demonstrating the cascading impact of a single cloud identity compromise at ecosystem scale.

12 min

Average Time to Compromise

Cloud account takeovers happen in an average of 12 minutes from credential theft to data access, leaving defenders minimal response time before exfiltration begins.

Known Threat Groups Using Cloud Account Compromise

Multiple nation-state and financially-motivated threat groups have adopted cloud account compromise as a primary operational technique, leveraging stolen credentials to access enterprise cloud infrastructure, establish persistence, and conduct espionage or data theft at unprecedented scale.

APT29 (Cozy Bear)

Compromised Azure AD accounts to deploy Midnight Blizzard backdoor, using residential proxy services to blend traffic with legitimate users and avoid geographic anomaly detection.

APT41 (Double Dragon)

Deployed DUST backdoor using Google Workspace as C2 infrastructure, demonstrating how compromised cloud accounts can serve as persistent attack platforms for long-term espionage.

UNC5537

Orchestrated the 2024 Snowflake breach affecting 165+ organizations including AT&T, Ticketmaster, and Santander via stolen credentials without MFA , the largest cloud data theft in history.

Scattered Spider

Social engineering group that compromised cloud admin accounts at major enterprises using SIM swapping and phishing, then used cloud infrastructure to deploy ransomware and extort victims.

🔗 Reference Sources

// Definitions & Glossary

Key Terms & Concepts

Understanding cloud identity terminology is essential for securing modern enterprise environments where the perimeter has shifted from network boundaries to identity-based access controls.

Cloud Identity: The digital identity that authenticates users, services, and applications to cloud platforms. Unlike traditional network-based security, cloud identity serves as the primary security perimeter in modern enterprise environments. Every API call, data access, and administrative action is gated by identity verification, making compromised cloud credentials equivalent to master keys for the entire organizational infrastructure.

🔐 Token Replay Attack

An attack where adversaries capture valid authentication tokens (session cookies, OAuth tokens, SAML assertions) and replay them to impersonate legitimate users without needing to know the actual credentials. In cloud environments, tokens often have long validity periods and are accepted across multiple services, making them extremely valuable to attackers. A single captured Azure AD session token can provide access to Microsoft 365, Azure portal, Teams, SharePoint, Power Platform, and dozens of connected SaaS applications simultaneously, creating a cascading access scenario where one token compromise equals complete organizational compromise.

💡 Like stealing someone's hotel keycard , you don't need to know their name or room number, you just use the card and every door opens.

☁ Cloud Security Posture Management (CSPM)

Automated tools that continuously monitor cloud infrastructure configurations for security misconfigurations, compliance violations, and exposure risks. CSPM solutions detect issues like publicly exposed S3 buckets, overly permissive IAM roles, unencrypted storage volumes, and missing network security group rules that could allow unauthorized access. Modern CSPM platforms integrate with AWS, Azure, and GCP APIs to provide real-time visibility across multi-cloud environments and automatically flag configuration drift that creates security gaps.

💡 Like a building inspector who constantly walks through your cloud infrastructure checking every door, window, and lock , and alerts you the moment one is left open.

🔒 Conditional Access Policy

Identity-based access control rules that evaluate contextual signals (user location, device health, risk score, application sensitivity) before granting access to cloud resources. Unlike traditional role-based access control, conditional access policies adapt in real-time based on risk factors , for example, blocking access from an unfamiliar country, requiring step-up authentication for sensitive applications, or denying access from devices without current security patches. Microsoft Entra ID (formerly Azure AD) Conditional Access is the most widely deployed implementation, but similar capabilities exist in AWS IAM, GCP IAM, and Okta.

💡 Like a bouncer who checks not just your ID, but also where you're from, what you're wearing, whether you've been here before, and how drunk you look , all before letting you in.

🔍 Identity Threat Detection & Response (ITDR)

Security solutions specifically designed to detect and respond to identity-based attacks, including credential theft, privilege escalation, token manipulation, and impossible travel scenarios. ITDR platforms correlate signals from identity providers, cloud services, endpoint detection tools, and SIEM systems to build comprehensive behavioral profiles for every identity in the organization. When anomalous behavior is detected , such as an admin account suddenly accessing storage buckets it has never touched, or a service account being used from a desktop workstation , ITDR can automatically trigger session revocation, conditional access policy changes, and forensic investigation workflows to contain the threat before data exfiltration occurs.

💡 Like a security camera system that doesn't just record , it actually recognizes faces, knows who belongs, and automatically locks doors when an unrecognized person approaches.

🔒 FIDO2 / WebAuthn

Phishing-resistant authentication standard based on public-key cryptography that uses hardware security keys (YubiKey, Google Titan) or platform authenticators (Touch ID, Windows Hello) to verify user identity. Unlike passwords, OTP codes, or push notifications, FIDO2 credentials are bound to a specific domain and cannot be intercepted by adversary-in-the-middle proxy attacks or replayed across different services. NIST SP 800-63B identifies FIDO2 as the highest assurance authentication factor available, and it is the only authentication method proven to reliably prevent phishing and AiTM attacks. Adoption of FIDO2 for cloud account access is widely considered the single most impactful security improvement organizations can implement today.

💡 Like a key that only works in one specific lock, at one specific building, and self-destructs if anyone tries to copy it , impossible to steal or reuse.

🚌 Privileged Access Management (PAM)

Security controls that manage, monitor, and audit access to privileged cloud accounts including administrator accounts, service accounts, and break-glass emergency access accounts. Cloud PAM solutions enforce just-in-time elevation, session recording, and automatic credential rotation for high-privilege accounts that, if compromised, would provide the attacker with extensive control over cloud infrastructure. In the context of T1586.003, PAM is critical because attackers specifically target privileged accounts to maximize the impact of cloud credential theft , a compromised admin account provides access to every resource in the cloud tenant, including the ability to create new accounts, modify access policies, and cover forensic traces.

💡 Like a bank vault that requires two managers, a retinal scan, and a time-limited access code , even if one manager is compromised, they still can't get in alone.

// Case Study

Real-World Scenario: The Snowflake Catastrophe

Based on the 2024 UNC5537 Snowflake data breach, one of the largest cloud-account-driven data thefts in history, affecting AT&T, Ticketmaster, Santander, and 165+ organizations.

Marco Torres , VP of Engineering, DataVault Analytics

Mid-size analytics firm processing sensitive customer data for retail and healthcare clients. Snowflake environment with 12 warehouses, 4.7TB of customer data, and 38 active user accounts across 3 teams.

🔴 What Happened , The Attack

UNC5537 obtained Marco's Snowflake credentials through an infostealer malware infection on his personal laptop, where he occasionally checked work dashboards outside the corporate VPN. The stolen credentials included a valid session token that Snowflake had not expired, and the account had no MFA configured , a common misconfiguration that Snowflake later mandated for all enterprise accounts. Using these credentials, the attackers accessed DataVault's Snowflake environment and began exfiltrating customer data using Snowflake's native data transfer capabilities, which allowed high-speed extraction without triggering bandwidth anomalies that external network monitoring would have detected. The breach went undetected for 14 days until a customer reported their data appearing on a dark web marketplace. By then, 4.7TB of sensitive customer records from healthcare and retail clients had been stolen and offered for sale in multiple extortion attempts.

🟢 What Should Have Happened , The Defense

If DataVault had enforced MFA on the Snowflake account, the infostealer would have captured only a username and password , useless without the second authentication factor. FIDO2 hardware keys would have provided phishing-resistant protection even if Marco had fallen for a credential harvesting attack. Conditional access policies would have blocked the login from Marco's personal laptop outside the corporate network, especially for an account with access to sensitive data warehouses. CSPM tools would have flagged the missing MFA configuration as a critical security gap before the attack occurred. ITDR monitoring would have detected the unusual access pattern , a data engineering VP accessing production warehouses from a residential IP address at 2 AM , and triggered an automated response including session revocation and security team notification within minutes.

📄 Snowflake Breach Chain , UNC5537 TTPs

🔑

Phase 1

Infostealer malware harvests credentials from employee endpoint

🔒

Phase 2

Valid session token obtained , no MFA to block access

☁

Phase 3

Snowflake tenant accessed via legitimate authentication

🗃

Phase 4

Cloud-native data transfer used for high-speed exfiltration

💰

Phase 5

Extortion demands sent , data sold on dark web marketplaces

🛡

Phase 6

165+ organizations affected , 580M+ records exposed globally

// Protection Playbook

Step-by-Step Protection Guide

These seven defensive measures create a zero-trust architecture for cloud identity that addresses credential compromise at every stage, from prevention through detection and response.

Deploy FIDO2 for All Cloud Administrative Accounts

Mandate FIDO2/WebAuthn hardware security keys for every account with administrative privileges across AWS, Azure, GCP, Snowflake, and all SaaS platforms. FIDO2 is the only authentication method proven to resist phishing, AiTM proxy attacks, and token replay techniques that adversaries use to bypass traditional MFA. Start with the highest-privilege accounts (cloud admins, security engineers, database administrators) and expand coverage to all users with access to sensitive data or critical infrastructure. Ensure key provisioning includes backup keys, secure storage protocols, and revocation procedures for lost or compromised devices.

Require FIDO2 for all accounts with IAM administrative access, billing privileges, or data warehouse access , these are the accounts adversaries target first and most aggressively.
Implement a FIDO2 key lifecycle management process including enrollment verification, backup key issuance, lost-key revocation procedures, and annual key rotation for all privileged accounts.

PREVENT

Implement Conditional Access Policies Across All Cloud Services

Configure conditional access rules that evaluate contextual signals including geographic location, device compliance status, IP reputation, risk score, and time-of-access patterns before granting cloud resource access. Block or require step-up authentication for logins from unfamiliar locations, new devices, anonymous IP addresses, or countries where the organization has no business presence. Apply sensitivity-based policies that escalate authentication requirements for access to production environments, customer data repositories, and administrative consoles based on the data classification level of the target resource.

Create location-based policies that block access from countries where the organization has no employees or business operations, and require VPN connections for all access from residential IP ranges.
Enforce device compliance checks that verify operating system patch level, disk encryption status, and endpoint detection tool presence before allowing access to any cloud service or data repository.

PREVENT DETECT

Deploy Cloud Security Posture Management (CSPM)

Implement CSPM tools that continuously scan AWS, Azure, GCP, and SaaS platform configurations for security misconfigurations including overly permissive IAM policies, publicly exposed storage buckets, unencrypted data stores, missing MFA on administrative accounts, and network security group rules that allow unrestricted inbound access. CSPM provides automated compliance monitoring against frameworks like CIS Benchmarks, NIST CSF, and SOC 2, while also detecting configuration drift that occurs when engineers make manual changes to cloud resources that create security gaps. Modern CSPM solutions can also automatically remediate certain misconfigurations, reducing the window between detection and correction from days to minutes.

Configure CSPM to alert immediately on any administrative account without MFA enabled , this single misconfiguration was the root cause of the Snowflake breach affecting 165+ organizations.
Enable automated remediation for high-severity findings including public storage exposure, overly permissive security groups, and disabled encryption on data stores containing sensitive information.

PREVENT DETECT

Implement Identity Threat Detection & Response (ITDR)

Deploy ITDR solutions that correlate authentication events, API calls, and resource access patterns across all cloud platforms to detect behavioral anomalies indicating credential compromise. Monitor for impossible travel scenarios, unusual API call patterns (such as an admin account suddenly enumerating S3 buckets or querying Snowflake warehouses it has never accessed), privilege escalation events, and service account abuse. ITDR should integrate with your SIEM, SOAR, and cloud provider native security tools to provide a unified view of identity risk across the entire cloud estate, with automated response playbooks that can revoke sessions, disable accounts, and isolate compromised identities within seconds of detecting a threat.

Baseline normal access patterns for every identity and alert on deviations exceeding two standard deviations from the established mean , including unusual resource types, access times, and API call volumes.
Correlate cloud identity signals with endpoint detection data to detect infostealer infections that may have harvested cloud credentials before the adversary attempts to use them in the cloud environment.

DETECT RESPOND

Enforce Privileged Access Management (PAM) for Cloud Admins

Deploy PAM controls for all privileged cloud accounts including just-in-time elevation, session recording, and automatic credential rotation. Cloud admin accounts should never have persistent standing privileges , instead, require time-limited access elevation for specific tasks with automatic de-escalation after a defined timeout period. Record all privileged sessions for forensic review and compliance auditing. Implement break-glass procedures with multi-person approval for emergency access scenarios, ensuring that even in crisis situations, privileged access is granted through controlled, auditable channels rather than through static credentials that could be stolen or reused by adversaries.

Eliminate standing admin privileges by implementing just-in-time access requests that require manager approval and automatically expire after a maximum of 4 hours with no renewal without re-approval.
Record and retain all privileged cloud sessions for a minimum of 90 days and enable real-time session monitoring that alerts on suspicious commands or data access patterns during active admin sessions.

PREVENT RESPOND

Monitor CloudTrail, Audit Logs, and API Activity

Enable comprehensive logging across all cloud platforms including AWS CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs, and Snowflake access history. Forward all logs to a centralized SIEM for correlation analysis and threat hunting. Create detection rules for suspicious patterns including bulk data downloads, cross-account role assumption, unusual region-based access, and IAM policy modifications that could indicate adversary activity. Ensure log integrity by enabling tamper-proof log storage using AWS CloudTrail Log File Validation, Azure Monitor log profiles with retention locks, or GCP Audit Logs with bucket-level immutability policies that prevent log tampering or deletion by compromised accounts.

Create automated alerts for any CloudTrail event indicating IAM role assumption from external accounts, S3 bucket policy changes, or data warehouse query patterns that deviate from established baselines.
Implement cross-cloud log correlation to detect attack patterns that span multiple cloud providers , adversaries often use compromised credentials on one platform to pivot to connected services on another platform.

DETECT

Implement Zero Trust Architecture Based on NIST SP 800-207

Adopt a zero trust security model where no user, device, or application is inherently trusted regardless of network location. Every access request to every cloud resource must be authenticated, authorized, and encrypted in real-time based on current contextual signals. Implement microsegmentation between cloud workloads, enforce least-privilege access at the resource level rather than the network level, and continuously validate trust throughout every session rather than relying on initial authentication alone. Zero trust is the architectural foundation that makes all other cloud security controls effective, because it assumes breach and designs defenses around the assumption that credentials will eventually be compromised and access must be limited and monitored at every touchpoint.

Map all cloud resource dependencies and data flows to understand the blast radius of each cloud identity , which resources can each account access, and what is the potential impact if that account is compromised.
Implement continuous session validation that re-evaluates risk signals throughout every cloud session, automatically terminating or stepping up authentication when risk indicators change mid-session.

PREVENT DETECT RESPOND

// Lessons Learned

Common Mistakes & Best Practices

The most impactful cloud security improvements come from avoiding common misconfigurations and adopting proven best practices that address the unique challenges of identity-based security in distributed cloud environments.

❌ Common Mistakes

Leaving MFA disabled on cloud accounts , the single root cause of the Snowflake breach that affected 165+ organizations. Many organizations deploy MFA for corporate email but leave data warehouse, storage, and infrastructure accounts unprotected.

Using shared admin credentials or service accounts with standing privileges that never rotate. Compromised service accounts are extremely difficult to detect because their automated access patterns blend with legitimate operational activity.

Ignoring cross-cloud identity federation risks where a compromised Microsoft 365 account can be used to access AWS through SAML federation, creating a single point of failure across the entire multi-cloud estate.

Not monitoring API call patterns and CloudTrail logs for anomalous activity. Many organizations enable logging but never review the logs or create detection rules, leaving enormous blind spots for cloud-based attacks.

Allowing cloud access from personal devices without endpoint security verification. Infostealer malware on personal devices is the primary vector for cloud credential theft, and unmanaged devices bypass all corporate security controls.

✔ Best Practices

Enforce FIDO2 on all cloud accounts with access to sensitive data or administrative functions. FIDO2 is the only authentication method that reliably prevents the credential theft and token replay attacks used in every major cloud breach.

Deploy CSPM with automated remediation across all cloud accounts to continuously detect and correct misconfigurations including missing MFA, exposed storage, and overly permissive IAM policies before adversaries can exploit them.

Implement conditional access with zero trust principles that evaluate every access request against contextual signals including location, device health, and behavioral patterns rather than trusting network boundaries.

Centralize cloud audit logs in a SIEM with automated detection rules for impossible travel, unusual API patterns, privilege escalation, and cross-account access that indicate active compromise.

Deploy PAM for all privileged cloud identities with just-in-time access elevation, session recording, and automatic credential rotation to limit the blast radius of any individual account compromise.

// Tactical Perspectives

Red Team vs Blue Team View

Cloud account compromise requires understanding both offensive tradecraft and defensive capabilities to build effective security programs that address real-world attack patterns.

🔴 Red Team , Attacker Perspective

T1586.003 , Cloud Accounts (Offensive)

Target Selection: Identify cloud accounts through infostealer logs purchased on dark web marketplaces, targeting accounts with administrative privileges, access to data warehouses, or federation with multiple cloud providers.
Initial Access: Test stolen credentials against cloud provider login portals, exploiting accounts without MFA or using captured session tokens for direct authentication without needing to solve any challenge.
Discovery: Use cloud-native enumeration tools (AWS CLI, Azure PowerShell, gsutil) to map accessible resources, permissions, and data stores from the compromised identity's perspective.
Collection: Leverage cloud-native data transfer capabilities (AWS S3 sync, Snowflake COPY INTO, Azure Storage Explorer) for high-speed exfiltration that appears as legitimate operational activity.
Persistence: Create new IAM users, service accounts, or API keys with appropriate permissions to maintain access even if the original compromised credential is rotated or revoked by the victim organization.

🔵 Blue Team , Defender Perspective

T1586.003 , Cloud Accounts (Defensive)

Prevention: Enforce FIDO2 for all privileged accounts, deploy conditional access policies requiring managed devices and trusted locations, and implement CSPM with automated remediation for misconfigurations.
Detection: Monitor CloudTrail, Azure Activity Logs, and GCP Audit Logs for impossible travel, unusual API call patterns, privilege escalation events, and data exfiltration indicators.
ITDR: Deploy identity threat detection that correlates authentication events across all cloud providers with endpoint signals and behavioral baselines to detect compromised credentials in near-real-time.
Response: Maintain documented cloud compromise playbooks including immediate session revocation, credential rotation, permission audit, resource access review, and forensic log analysis procedures.
Architecture: Implement zero trust architecture per NIST SP 800-207 with microsegmentation, least-privilege access, and continuous session validation across all cloud services and workloads.

// Hunting Hypotheses

Threat Hunter's Eye

Cloud threat hunting focuses on behavioral anomalies in authentication patterns, API usage, and data access that indicate credential compromise and unauthorized resource access.

🌎

Impossible Travel in Cloud Authentication

Hunt for authentication events where the same cloud identity authenticates from geographically distant locations within a timeframe that makes physical travel impossible. Cross-reference login IP geolocation with VPN egress points and corporate office locations to eliminate false positives from legitimate VPN usage. Pay particular attention to cloud console logins (AWS Management Console, Azure Portal, GCP Console) from residential IP addresses or countries outside the organization's operational footprint, as these strongly indicate credential compromise through infostealer infection or password spraying. Correlate with subsequent API calls to determine if the compromised session was used for reconnaissance, data access, or infrastructure modification.

index="cloudtrail" eventName="ConsoleLogin" | geoip srcIP | streamstats timewindow=1h max(distance_km) by userIdentity.arn | where distance_km > 800

📈

API Anomalies & Data Exfiltration Patterns

Monitor for sudden increases in API call volume, particularly for data-accessing operations like GetObject (S3), SELECT (Snowflake), or list operations that enumerate accessible resources. An adversary who has just compromised a cloud account will typically perform extensive reconnaissance to understand what resources they can access before beginning exfiltration. Look for API call patterns that deviate from the user's historical behavior , an engineering account suddenly accessing billing APIs, or a marketing account querying production databases. Track data transfer volumes and flag any single session that transfers more data than the account's 30-day historical average, as this is the strongest indicator of active data exfiltration from a compromised cloud identity.

index="cloudtrail" eventName="GetObject" OR eventName="Select*" | stats sum(responseSize) as bytes_transfer by userIdentity.arn, sessionId | where bytes_transfer > user_avg * 3

🔒

Unusual MFA Registration Events

Hunt for MFA device registration or modification events, particularly when the registration occurs from an unfamiliar device, IP address, or geographic location. Adversaries who have compromised a cloud account may register their own MFA device to maintain persistent access even after the victim changes their password, effectively locking the legitimate user out of their own account. This is especially dangerous for cloud admin accounts where the attacker registers a phishing-resistant FIDO2 key, making the compromise nearly impossible to reverse without administrative intervention through the cloud provider's support team. Monitor for password change events followed by immediate MFA registration, as this pattern strongly indicates an attacker has changed the password and is registering their own device to lock out the legitimate account holder permanently.

index="azuread" Operation="Register security info" OR Operation="Update user" | where srcIP NOT IN (approved_corporate_ips) | stats count by user, srcIP

Cloud Console Login from Infostealer-Associated IP

Login to AWS Console, Azure Portal, or Snowflake web interface from an IP address that appears in known infostealer log databases or from a residential ISP in a country where the organization has no presence.

Sudden S3 Bucket Enumeration by Non-Storage Account

An IAM identity that has never previously performed storage-related API calls suddenly begins listing S3 buckets, checking bucket policies, or initiating large-scale data transfer operations.

New IAM User or Service Account Creation

Creation of new IAM users, service accounts, or API keys from a compromised existing identity, indicating the attacker is establishing persistence mechanisms that survive credential rotation.

Privilege Escalation via IAM Role Assumption

Assumption of IAM roles that provide administrative or elevated privileges, especially cross-account role assumption from external AWS accounts that should not have trust relationships configured.

📈 Cloud Account Compromise Risk Assessment

Infostealer Credential Risk

94%

No-MFA Breach Probability

98%

Token Replay Effectiveness

90%

Cross-Cloud Pivot Risk

75%

FIDO2 Protection Level

12%

Zero Trust Mitigation

22%

Risk percentages represent estimated compromise success rates against enterprise environments without the specified control. FIDO2 protection at 12% risk means FIDO2 reduces cloud account compromise to approximately 12% of unprotected baseline. Data derived from Snowflake breach analysis, CISA advisories, and NIST SP 800-207 zero trust framework guidance.

// Next Steps

Secure Your Cloud Identity Perimeter

Cloud identity is the new security perimeter. A single compromised credential can unlock your entire digital infrastructure. Take action now before the next breach.

☁ Defend Against T1586.003

The combination of FIDO2 authentication, conditional access policies, CSPM with automated remediation, ITDR monitoring, and zero trust architecture creates a defense-in-depth approach that addresses cloud account compromise at every stage of the attack lifecycle. Start by auditing your cloud identity posture today , check for accounts without MFA, review conditional access policies, and validate that CSPM is actively monitoring all your cloud environments for misconfigurations that create exploitable attack surfaces.

📚 MITRE T1586.003 🛠 CISA Advisories 📖 NIST Zero Trust 🔒 T1586 Parent 📧 T1586.002 Email 👤 T1586.001 Social

Related MITRE ATT&CK Techniques

T1586

Compromise Accounts

Parent technique covering all account compromise methods for resource development operations and persistent access establishment.

T1586.001

Social Media Accounts

Compromising social media accounts for influence operations, social engineering, and credential harvesting campaigns at scale.

T1586.002

Email Accounts

Compromising email accounts for phishing campaigns, thread hijacking, business email compromise, and spam relay operations.

T1583.003 , Virtual Private Server T1583.007 , Serverless T1586.001 , Social Media T1586.002 , Email Accounts

🔗 Further Reading & References

Cloud Accounts

MITIGATIONS

Pre-compromise M1056

DETECTION STRATEGY

Detection of Cloud Accounts DET0879

DONATE · SUPPORT

We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.

100% of your support goes to the platform. No corporate sponsors, just the community.

ROOT::DONATE

Cyber Pulse Academy
April 7, 2026
No Comments