MITRE ATT&CK / T1021.007
T1021.007
Cloud Services
Description
Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as <code>Connect-AZAccount</code> for Azure PowerShell, <code>Connect-MgGraph</code> for Microsoft Graph PowerShell, and <code>gcloud auth login</code> for the Google Cloud CLI.In some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password.
Platforms
Mitigations
- M1032 — Multi-factor Authentication
- M1026 — Privileged Account Management
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Braintrust AWS Breach Exposes AI Provider API Keys, All Customers Ordered to Rotate Secrets
- UAT-8302 China APT Malware Analysis: Shared Implants, IOCs, and Detection Rules
- CISA CI Fortify: Critical Infrastructure Must Survive Weeks of Isolation
- DAEMON Tools Supply Chain Attack Deploys QUIC RAT Backdoor
- Apache MINA CVE-2026-42778 and CVE-2026-42779: Dual CVSS 9.8 RCE Patched
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →