ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
BP-002 Cloud Tenant Discovery
🔍 What This Breach Pattern Is
Cloud Tenant Discovery represents a critical reconnaissance phase where attackers systematically identify and map your cloud identity infrastructure. This sophisticated enumeration technique targets the foundational elements of your cloud environment, revealing technical details that shape subsequent attack vectors.
Primary Targets
  • Azure AD / Entra ID tenant ID
  • Okta org ID
  • Google Workspace customer ID
  • AWS IAM Identity Center metadata
Technical Artifacts
  • Federation trust endpoints
  • Cloud login realms
  • Sovereign or regional cloud restrictions
  • Conditional Access pre-auth flows
Protocol Intelligence
  • Authentication protocol behavior
  • MFA configuration hints
  • Session management patterns
  • Token issuance mechanics
Once attackers successfully map your identity system architecture, they gain the intelligence needed to tailor their entire attack chain with precision, transforming generic exploit attempts into targeted, sophisticated operations.
🧠 Attacker Objectives & Threat Landscape
Strategic Goals
Attackers leverage Cloud Tenant Discovery to systematically build a comprehensive profile of your identity infrastructure. This reconnaissance phase provides critical intelligence that informs every subsequent attack decision.
Environment Mapping
Detect your cloud provider, identify tenant identifiers, and discover federation trust URLs to understand your cloud architecture.
Security Assessment
Map possible MFA configurations, probe login endpoints for protocol details, and find environments with weaker controls.
Attack Surface Analysis
Detect multiple tenants revealing shadow IT, identify where password spray attacks will be most effective, and locate federation weaknesses.
Threat Actor Models
Understanding which adversaries employ this technique helps prioritize defensive investments and detection engineering efforts.
APT29 (ICTAM-001)
Highly sophisticated cloud-specific tenant discovery operations targeting enterprise identity infrastructure with precision.
APT28 (ICTAM-002)
Broad cloud enumeration campaigns across multiple providers, seeking federation trust vulnerabilities.
Volt Typhoon (ICTAM-004)
Hybrid cloud discovery focused on critical infrastructure and long-term persistent access.
Cloud Identity Drifter (ICTAM-021)
Opportunistic scanning operations targeting misconfigured tenants and weak authentication boundaries.
This represents the cloud equivalent of "mapping the battlefield" — foundational reconnaissance that enables all subsequent attack phases.
⚠️ Misconfigurations & Detection Engineering
Enabling Misconfigurations
Specific identity architecture weaknesses create opportunities for tenant discovery. Understanding these misconfigurations helps prioritize remediation efforts and reduce your attack surface.
1
MC-001
Publicly Exposed User Identifiers
Tenant login pages reveal identity realm details, federation metadata, and authentication architecture information.
2
MC-075
Weak Network Segmentation for Identity Paths
Cloud tenant discovery endpoints remain globally accessible without geographic or network-based restrictions.
3
MC-146
Inconsistent Identity Trust Boundaries
Federation misconfigurations leak sensitive metadata about connected tenants, trust relationships, and authentication flows.
Detection Signals
Implementing robust detection logic enables security teams to identify tenant discovery attempts before attackers can leverage the intelligence for credential attacks or federation exploitation.
1
DL-001
Unusual External Enumeration Behavior
Detects initial cloud tenant probing patterns and reconnaissance scanning.
2
DL-027
Cross-Tenant Enumeration Anomaly
Identifies scanning of foreign tenants interacting with your identity provider infrastructure.
3
DL-010
High-Volume Naming Pattern Probes
Triggered when attackers systematically validate cloud login behavior across multiple accounts.
🧩 Attack Chain Integration & Executive Context
Cloud Tenant Discovery serves as the foundational reconnaissance phase that enables sophisticated, multi-stage identity attacks. Understanding its position within the broader attack chain helps security leaders prioritize investments and communicate risk effectively.
1
Stage 1: Reconnaissance
Initial tenant discovery and infrastructure mapping establish the attack foundation.
2
Stage 2: Identity Enumeration
Validated tenant information enables targeted user enumeration and account discovery.
3
Stage 3: Credential Attack
Password spray, phishing, and brute force attempts leverage discovered tenant architecture.
4
Stage 4: Federation Manipulation
Trust relationship exploitation and token abuse complete the compromise chain.
Executive Threat Storylines
Translating technical attack patterns into business risk narratives helps security leaders communicate effectively with executive stakeholders and board members about identity threat exposure.
ETS-001
Cloud Tenant Discovery → Credential Attack Chain
How initial reconnaissance escalates into full identity compromise affecting business operations.
ETS-004
OAuth Weakness → Identity-Level Compromise
Federation vulnerabilities discovered during tenant mapping enable application-level breaches.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.