* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Inside a Modern Cloud Att...

# Inside a Modern Cloud Attack --- How to Catch It with Cortex CDR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Finside-a-modern-cloud-attack-how-to-catch-it-with-cortex-cdr%2F)  
[](https://twitter.com/share?text=Inside+a+Modern+Cloud+Attack+%E2%80%94+How+to+Catch+It+with+Cortex+CDR&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Finside-a-modern-cloud-attack-how-to-catch-it-with-cortex-cdr%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Finside-a-modern-cloud-attack-how-to-catch-it-with-cortex-cdr%2F&title=Inside+a+Modern+Cloud+Attack+%E2%80%94+How+to+Catch+It+with+Cortex+CDR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/inside-a-modern-cloud-attack-how-to-catch-it-with-cortex-cdr/&ts=markdown)  
\[\](mailto:?subject=Inside a Modern Cloud Attack — How to Catch It with Cortex CDR)  
Link copied  
By [Roi Saltzman](https://www.paloaltonetworks.com/blog/author/roi-saltzman/?ts=markdown "Posts by Roi Saltzman"), [Chen Doytshman](https://www.paloaltonetworks.com/blog/author/chen-doytshman/?ts=markdown "Posts by Chen Doytshman") and [Artur Oleyarsh](https://www.paloaltonetworks.com/blog/author/artur-oleyarsh/?ts=markdown "Posts by Artur Oleyarsh")  
Jun 05, 2025  
7 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[CDR](https://www.paloaltonetworks.com/blog/tag/cdr/?ts=markdown)  
[Cloud detection and response](https://www.paloaltonetworks.com/blog/tag/cloud-detection-and-response/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[Cortex Cloud](https://www.paloaltonetworks.com/blog/tag/cortex-cloud/?ts=markdown)

Cloud adoption has transformed how businesses operate while expanding the attack surface available to attackers. Threat actors are [accelerating the speed, scale and sophistication of their campaigns](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report#threats-and-trends), increasingly targeting legitimate credentials to quietly access systems and escalate privileges. Once inside, they move fast and across the board -- from identity providers to cloud services, SaaS platforms, endpoints and other critical systems.

These identity-driven attacks are hard to detect since the activity looks legitimate - making real-time behavioral detection critical. Cloud security posture management (CSPM) tools focus on identifying configuration risks but do not offer runtime protection to detect and respond to active threats. They also rarely connect the dots between identity systems, infrastructure and application activity.

A recent incident involving a sophisticated threat actor highlights this challenge. The attack began with social engineering, which enabled privilege escalation across systems like Okta, Office 365 and AWS. The attackers mapped high-value data assets and attempted to exfiltrate sensitive files while leveraging native tools to avoid detection.

The blueprint presented in this attack reflects how cloud threats are evolving - distributed across services, identity-driven, and often invisible to traditional security tools. A solution like Cortex Cloud, which correlates signals across diverse data sources, is pivotal for detecting signatureless activity and surfacing context-rich alerts that enable swift effective response.

## A Modern Attack in the Wild: The Scattered Spider Example

A recent financially motivated campaign by the threat actor (TA) [Muddled Libra](https://unit42.paloaltonetworks.com/muddled-libra/) (aka "Scattered Spider", UNC3944) illustrates how attackers exploit identities and trusted native tools to compromise systems stealthily.

### Initial Access

The attack began with a phone call to an executive-level employee. Vishing (voice phishing) is often used by TAs to acquire credentials. Credential theft can be performed by directing the target to log in to a fake, attacker-controlled Okta page, or to persuade the user to reset their password to one provided by the attackers. Having captured the executive's credentials, the TA promptly reset the user's password and enrolled a new multifactor authentication (MFA) device, locking the victim out of their account and enabling the TA to gain administrative control over the Okta environment.

### Privilege Escalation \& Lateral Movement

Having gained these administrator privileges in Okta, the TA gained broad access across the organization, using single sign-on (SSO) not only for pivoting purposes but also to escalate their privileges in other systems, including Office 365, SharePoint and AWS.

The TA's privilege escalation actions, such as creating new users and assigning admin rights, occurred in Okta, but the impact of those actions played out in AWS. This is the essence of cross-data-source detection -- the security event is initiated in one environment, while its real consequences unfold in another. Without a unified data lake capable of correlating identity changes in Okta with subsequent cloud activity in AWS, such an attack could easily go undetected until significant damage occurs.

### Discovery \& Enumeration

Scattered Spider uses native SaaS interfaces, built-in AWS tools, and APIs to map high-value targets discreetly. In this tactic, dubbed "Living off the Land", the TA utilizes legitimate binaries, like AWS CLI, instead of known exploits, evading signature-based detection and necessitating advanced behavioral analysis.

For example, Scattered Spider leveraged the AWS Systems Manager (SSM) service to execute arbitrary commands directly on EC2 instances, using APIs such as StartSession or SendCommand. Similar APIs also exist on other CSPs, such as Azure runcommand.

### Pinpoint Exfiltration \& Impact

Armed with precise insights gained through enumeration, the attackers swiftly identified critical data repositories, such as financial data stored in AWS. Utilizing their privileged access, the TA focused on executive-level data (e.g. financially related documents). Such information can be exfiltrated from services such as S3, EBS snapshots, and Office 365.

## Cortex CDR: Purpose-Built for Real-World Threats

Most security tools detect isolated events and lack the ability to identify multistage, stealthy attacks, like those conducted by Scattered Spider. Cortex Cloud Detection and Response (CDR) takes a fundamentally different approach. It ingests telemetry from across your environment and enriches it with cloud posture context, enabling the detection of early attack signals that traditional tools often miss. To illustrate the breadth of data sources and correlations involved in this incident, we'll walk through a few of the key detectors that contributed to its detection.
![Figure 1: Cortex detectors in action](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340247-1-1.png)
Figure 1: Cortex detectors in action

By inspecting and correlating signals from Okta, AWS CloudTrail and Office 365 access provider event logs, Cortex CDR uncovered the full lifecycle of the attack. It detected the password reset, as well as anomalous MFA device enrollment and API tokens originating from unfamiliar networks, immediately flagging potential account takeovers before further lateral movement could be achieved.

* Detectors: Okta account reset password attempt, Okta device assignment, User added a new device to Okta Verify instance

Cortex CDR flagged a number of abnormal behaviors that are indicative of attackers using legitimate cloud credentials to establish a foothold in the cloud for persistence and the next phases of the attack.

* Detectors: A user logged in to the AWS console for the first time, Cloud unusual access key creation

Cortex CDR detected cloud identities attempting to discover available infrastructure and services - often a sign that an attacker is mapping out the environment.

* Detectors: Cloud infrastructure enumeration activity, Multi region enumeration activity

The TA was very selective, targeting the exfiltration of a handful of files, a challenging scenario to detect. However, by leveraging the Data Security Posture Management (DSPM) capability, the Cortex Cloud platform identified that the exfiltrated files contained sensitive data, automatically raising the alert's severity - bringing focus to an otherwise under-the-radar attacker activity.

* Detectors: An identity performed a suspicious download of multiple cloud storage objects, User accessed multiple O365 AIP sensitive files, Cloud snapshot containing sensitive data was shared with unusual AWS account(s)

![Figure 2: Cortex Detection Engine](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340247-2-1.png)
Figure 2: Cortex Detection Engine

## The Architectural Advantage: Unified Detection Across Domains

### Out of the Box Cross-Domain Detection

With Cortex Cloud, events from Okta, cloud service providers, Azure AD, SaaS logs, network, endpoint, container runtime data and more are streamed into a unified data lake that uses advanced detectors to uncover the most sophisticated threats.

### Context-Aware Severities

In addition to runtime events, the Cortex Cloud data lake also ingests posture findings from various modules (Cloud, Data, AI, Identity, Kubernetes and more. Cortex Cloud automatically leverages these findings for context-enhanced detections. For example, If a suspicious action targets a production asset that contains PII, Cortex Cloud factors that into the alert, ensuring alerts reflect not just the security issue but also the sensitivity and exposure of the affected asset.

### Precision AI-Driven Investigation

SmartGrouping connects related tactics such as initial access, persistence, and exfiltration into a single incident with a clear timeline and causal context. Analysts no longer need to jump between tools or guess what's related. They get the full picture quickly, reducing triage time from hours to minutes.
![Figure 3: SmartGrouping within a Security Incident](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340247-3-1.png)
Figure 3: SmartGrouping within a Security Incident

### Automated Response

Cortex Cloud features [hundreds of out-of-the-box playbooks](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-cloud-cryptojacking-response/) for SOAR. Security teams can act fast, using workflows that can be triggered manually or configured to run automatically based on predefined rules. This gives teams the ability to respond in minutes, not hours or days.
![Figure 4: Cloud response playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340247-4-1.png)
Figure 4: Cloud response playbook

## See it in Action

**Interested in learning more about Cortex Cloud? Check out the [product tour](https://cloud-demo.paloaltonetworks.com/share/5qhhyldi7zlz) or sign up for a [personalized demo](https://www.paloaltonetworks.com/cortex/cdr-demo).**

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex: New Innovations for Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### What's New in Cortex: The Latest Innovations for the World's #1 SecOps Platform (Feb '25 Release)](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-the-latest-innovations-for-the-worlds-1-secops-platform-feb-25-release/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Stopping Cross-Domain Attacks with Cortex XDL + Cortex XSIAM](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/stopping-cross-domain-attacks-with-cortex-xdl-cortex-xsiam/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Leading with a Prevention-First Approach for Cloud Detection and Response](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/leading-with-a-prevention-first-approach-for-cloud-detection-and-response/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Forrester Names Palo Alto Networks a Leader in XDR](https://origin-researchcenter.paloaltonetworks.com/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language