Cloud account threats have significantly increased in 2023, with attackers using new techniques to exploit vulnerabilities in cloud environments.


Cloud account threats increased 16-fold in 2023 [1] [2], with attackers utilizing new techniques in these environments [1], as reported by Red Canary’s 2024 Threat Detection Report [1]. The MITRE ATT&CK technique T1078.004: Cloud Accounts was the fourth most prevalent technique used by threat actors in 2023 [1], impacting three times as many organizations compared to 2022 [1]. Adversaries in the cloud typically steal short-term tokens for privilege escalation and conduct systematic reconnaissance to exploit misconfigurations and gain access to sensitive data [1]. A Palo Alto Networks report in September 2023 revealed that 80% of security vulnerabilities observed in organizations originate from cloud environments [1]. Malicious email forwarding rules also saw a nearly 600 percent rise [2], as adversaries compromised email accounts to redirect sensitive communications and modify payroll or wire transfer destinations [2]. Despite new software vulnerabilities [2], humans remained the primary vulnerability exploited by adversaries [2], who used identities to access cloud service APIs and execute fraud [2]. Adversaries also used Microsoft’s MSIX packaging tool to create malicious installers [2], tricking victims into running malicious scripts [2]. It is crucial to ensure proper permissions and configurations in cloud environments and understand how cloud infrastructure is being used to distinguish between suspicious and legitimate activity [2]. Additionally, malicious actors are using compressed archives like ZIP and RAR [1], container files such as ISO and VHD [1], and MSIX files to deliver malware payloads [1]. OneNote files have been abused to deliver malware like Qbot [1], prompting an update in May 2023 to block embedded files with commonly abused extensions [1]. Non-email delivery vehicles for malicious links in 2023 include quishing using QR codes [1], SEO poisoning to manipulate search engine results [1], and malvertising through fake ads on search engine pages [1].


The rise in cloud account threats poses significant risks to organizations, highlighting the importance of implementing proper security measures and staying vigilant against evolving attack techniques. It is crucial for organizations to regularly update their security protocols, educate employees on cybersecurity best practices, and monitor cloud environments for any suspicious activity to mitigate the impact of these threats in the future.