← Back to Cybersecurity News Center
Severity
HIGH
CVSS
9.5
Priority
0.651
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
Medtronic, the world's largest medical device manufacturer, confirmed unauthorized access to corporate IT systems following claims by threat actor ShinyHunters of stealing over 9 million PII records and terabytes of internal data. Medtronic states that patient safety systems, medical devices, and manufacturing operations were not disrupted, attributing this to network segmentation between corporate IT and operational environments. The breach carries significant regulatory exposure under HIPAA and SEC cybersecurity disclosure rules, and an active extortion campaign is ongoing.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you are or were a Medtronic employee, patient, or partner, your personal information may have been taken.
🔓
What got out
Suspected: Personal information such as names and contact details, not yet fully confirmed by Medtronic
Suspected: Up to 9 million people's records, exact types not yet confirmed
Confirmed: Medtronic says its medical devices and health systems were not affected
✅
Do this now
1 Watch your email and post for any official letter from Medtronic about this incident. 2 Be suspicious of emails or calls claiming to be from Medtronic asking for personal details. 3 If you have a Medtronic online account, change your password and turn on a second password sent to your phone.
👀
Watch for these
Scam emails or calls pretending to be from Medtronic or your doctor.
Unexpected letters or bills related to medical services you did not receive.
Anyone asking you to confirm personal details because of a 'security issue' at Medtronic.
🌱
Should you worry?
Your medical devices are not affected, Medtronic confirmed this clearly. The main risk right now is scammers using your personal details to trick you, not anything happening to your health.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
ShinyHunters
TTP Sophistication
HIGH
9 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Medtronic corporate IT systems (specific platforms and versions not publicly disclosed as of analysis date)
Are You Exposed?
⚠
Your industry is targeted by ShinyHunters → Heightened risk
⚠
You use products/services from Medtronic corporate IT systems (specific platforms and versions not publicly disclosed as of analysis date) → Assess exposure
⚠
9 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A confirmed breach of 9 million PII records at a healthcare-adjacent company creates immediate dual regulatory exposure: HIPAA breach notification obligations (45 CFR Parts 160 and 164) and SEC cybersecurity incident disclosure requirements (17 CFR 229.106 and 249.308), both of which carry material financial and legal consequences for non-compliance. An active extortion campaign by ShinyHunters introduces ongoing reputational and operational risk, including the possibility of public data release if demands are not met. While Medtronic reports no disruption to devices or manufacturing, the breach of corporate PII at this scale will draw regulatory scrutiny, patient notification costs, and sustained media attention.
You Are Affected If
You are a Medtronic employee, contractor, or partner whose PII was stored in affected corporate IT systems
Your organization has vendor or data-sharing relationships with Medtronic that may have exposed data to the compromised environment
Your organization uses similar credential management and cloud storage configurations to those suspected in this breach (CWE-522, CWE-284) — treat this as a prompt for internal credential hygiene review
You are a healthcare organization subject to HIPAA that shares patient or employee data with Medtronic and must assess whether downstream breach notification obligations apply
You are a Medtronic shareholder or covered entity assessing SEC disclosure and HIPAA notification timelines as the investigation scope is confirmed
Board Talking Points
Medtronic confirmed unauthorized access to corporate IT systems; a threat actor claims 9 million personal records were stolen and is actively demanding payment.
Legal and compliance teams should be engaged immediately to assess HIPAA breach notification and SEC disclosure obligations before the regulatory clock runs out.
Without confirmed scope and a formal breach assessment, the organization faces compounding regulatory, legal, and reputational exposure the longer the response is delayed.
HIPAA (45 CFR Parts 160 and 164) — breach of PII at a medical device manufacturer may constitute a reportable breach of protected health information depending on data categories confirmed in scope
SEC Cybersecurity Disclosure Rule (17 CFR 229.106 and 249.308) — material cybersecurity incident at a public company triggers assessment of 8-K disclosure obligations and timeline
Technical Analysis
Medtronic confirmed unauthorized access to corporate IT systems in an active extortion campaign attributed (by claim, not confirmed) to ShinyHunters.
The threat actor asserts exfiltration of 9 million PII records and terabytes of internal data; Medtronic has not independently verified the record count.
Specific affected platforms and software versions have not been publicly disclosed as of the analysis date (configuration timestamp 2026-03-04; breach event reported April 2026).
Suspected attack vectors based on CWE mapping: CWE-522 (Insufficiently Protected Credentials) and CWE-284 (Improper Access Control), consistent with ShinyHunters' historically documented TTPs of credential compromise and cloud storage harvesting. Relevant MITRE ATT&CK techniques observed or suspected: T1078 (Valid Accounts), T1566 (Phishing), T1530 (Data from Cloud Storage), T1567 (Exfiltration Over Web Service), T1083 (File and Directory Discovery), T1213 (Data from Information Repositories), T1486 (Data Encrypted for Impact), T1657 (Financial Theft). No CVE is associated with this incident. No patch is available; the incident is a credential/access control failure, not a software vulnerability. Investigation is ongoing. Source confidence: HIGH for breach occurrence (Medtronic confirmed); MEDIUM for 9M record count and ShinyHunters attribution (threat actor claims, not independently verified). Sources: Reuters (T2), BleepingComputer (T3), MassDevice (T3), Medtronic Security Bulletins portal (T3).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to executive leadership, legal counsel, and external DFIR retainer if any evidence confirms: (1) OT/clinical network traversal beyond confirmed corporate IT scope, (2) PHI categories (patient health records, device telemetry linked to individuals) confirmed within the 9 million records, triggering HIPAA Breach Notification (45 CFR 164.400-414) within 60 days, (3) ShinyHunters posts a sample data dump publicly validating the breach claim, or (4) SEC determines the breach meets materiality threshold requiring 8-K filing within 4 business days under 17 CFR 249.308.
1
Containment: Audit all privileged and service account access in corporate IT environments immediately. Identify and revoke any sessions or tokens that cannot be traced to authorized activity. Isolate any systems with evidence of lateral movement. Confirm that segmentation between corporate IT and OT/product environments is enforced and has not been traversed.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
NIST SC-7 (Boundary Protection)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
CIS 4.4 (Implement and Manage a Firewall on Servers)
Compensating Control
Export active sessions via PowerShell: Get-ADUser -Filter * -Properties LastLogonDate,PasswordLastSet | Export-Csv active_accounts.csv. For cloud token audit without SIEM, use AWS CLI: aws iam generate-credential-report && aws iam get-credential-report to identify stale or unauthorized IAM credentials. For segmentation validation, use nmap from a controlled host to confirm corporate-to-OT network reachability: nmap -sn <OT_subnet_range> from a corporate VLAN — no response confirms firewall enforcement. Document firewall ACL screenshots as evidence before any rule changes.
Preserve Evidence
Before revoking sessions, capture: (1) AWS CloudTrail logs for the 90-day window prior to discovery — specifically AssumeRole, GetSessionToken, and ConsoleLogin events from unfamiliar IP ranges or user agents; (2) Azure Active Directory Sign-In Logs filtered for ShinyHunters-associated TTPs — bulk access events, service principal logins from non-datacenter IPs; (3) Windows Security Event Log Event ID 4624 (Successful Logon) and 4648 (Explicit Credential Use) on domain controllers covering the suspected dwell period; (4) Firewall flow logs between corporate IT VLANs and OT/clinical network segments to confirm or rule out lateral traversal; (5) Screenshots of current IAM role trust policies and attached permissions for all service accounts before modification.
2
Detection: Review authentication logs for anomalous Valid Accounts activity (T1078): off-hours logins, impossible travel, mass file access, and bulk downloads from cloud storage (T1530). Query email gateway and endpoint logs for phishing indicators (T1566). Search SIEM for large outbound data transfers to unfamiliar web services (T1567, T1041). ShinyHunters has historically leveraged exposed cloud credentials; audit cloud storage access logs (AWS S3, Azure Blob, GCP) for unauthorized GetObject or ListBucket events.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without a SIEM, execute these targeted queries directly: (1) AWS S3 — run aws s3api get-bucket-logging --bucket <bucket-name> for each bucket storing PII to confirm logging was active, then pull CloudTrail with: aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetObject --start-time <90_days_ago> --output json | jq '.Events[] | select(.Username != "expected-service-account")'. (2) For impossible travel detection without SIEM, export Azure AD sign-in logs via Microsoft Graph API or the Azure Portal and pivot on UserPrincipalName + IPAddress + timestamp in Excel or Python pandas to flag logins from two geographies within <4 hours. (3) Use Zeek or Wireshark packet captures on egress points to identify large sustained outbound connections (>500MB sessions) to non-Medtronic IP space — ShinyHunters has used cloud hosting providers as exfil destinations.
Preserve Evidence
Before tuning detection rules, preserve: (1) AWS S3 Server Access Logs and CloudTrail Data Events (s3:GetObject, s3:ListBucket) for all buckets containing PII or HR data — ShinyHunters exfiltration leaves sequential GetObject calls across thousands of keys in compressed time windows; (2) Azure AD Unified Audit Log entries for MailItemsAccessed and FileAccessed operations in SharePoint/OneDrive, which would indicate breadth of PII data accessed; (3) Email gateway quarantine and delivery logs (MX header chains, sender IP, attachment hashes) for the 60 days preceding discovery to identify the initial phishing vector ShinyHunters likely used for credential harvest; (4) NetFlow or firewall session logs showing total bytes transferred per external destination IP over the suspected exfiltration window — critical for estimating the 'terabytes of internal data' claimed by ShinyHunters; (5) DNS query logs from corporate resolvers for lookups to cloud storage endpoints (s3.amazonaws.com, blob.core.windows.net) initiated by non-standard hosts or service accounts.
3
Eradication: Reset all credentials for accounts with access to affected corporate IT systems, prioritizing service accounts, admin accounts, and accounts with cloud storage permissions. Enforce MFA on all authentication paths where it is not already required. Remediate any identified access control gaps (CWE-284) by reviewing IAM policies and removing excessive permissions. Rotate API keys and tokens associated with affected environments.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication and Recovery
NIST IA-5 (Authenticator Management)
NIST AC-2 (Account Management)
NIST SI-2 (Flaw Remediation)
NIST IR-4 (Incident Handling)
CIS 5.2 (Use Unique Passwords)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 6.5 (Require MFA for Administrative Access)
Compensating Control
For teams without an enterprise IAM platform: (1) Use AWS IAM Access Analyzer — free, built-in — to identify overly permissive S3 bucket policies and IAM roles with cross-account trust: aws accessanalyzer list-findings --analyzer-name <analyzer> --filter 'status=eq:ACTIVE'. (2) Rotate all AWS access keys via CLI: aws iam list-access-keys --user-name <user> then aws iam delete-access-key --access-key-id <old_key> --user-name <user> && aws iam create-access-key --user-name <user>. (3) Enforce MFA enrollment for all admin accounts using Azure AD Conditional Access free tier or AWS IAM policy condition 'aws:MultiFactorAuthPresent': 'true' on all S3 and IAM actions. Document each credential reset with timestamp, resetting analyst, and target account for HIPAA audit trail.
Preserve Evidence
Before credential rotation, capture: (1) IAM credential report (aws iam get-credential-report) showing access_key_last_used, password_last_used, and mfa_active status — this establishes which accounts were active during the breach window and whether MFA was absent; (2) Azure AD registered MFA methods per user (exportable via Microsoft Graph: GET /users/{id}/authentication/methods) to document the pre-eradication MFA gap that ShinyHunters exploited; (3) Full export of AWS IAM policy attachments for all service accounts with S3 permissions — preserves the over-permissioned state as evidence of CWE-284 for the post-incident review and any regulatory investigation; (4) List of all active OAuth tokens and refresh tokens issued to third-party integrations (exportable from Azure AD Enterprise Applications > Permissions blade) before revocation.
4
Recovery: Validate that segmentation between corporate IT and OT/clinical systems is intact by reviewing firewall rules, network access controls, and asset inventories. Monitor post-reset authentication patterns for re-compromise indicators. Confirm no persistence mechanisms (scheduled tasks, new accounts, modified MFA configurations) were established by the threat actor before eradication.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SC-7 (Boundary Protection)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 4.2 (Establish and Maintain a Secure Configuration Process for Network Infrastructure)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
Compensating Control
For persistence hunting without EDR: (1) Query all domain controllers for accounts created after the estimated breach start date: Get-ADUser -Filter {WhenCreated -gt (Get-Date).AddDays(-90)} -Properties WhenCreated,LastLogonDate | Export-Csv new_accounts.csv. (2) Hunt for unauthorized scheduled tasks across Windows hosts using: Get-ScheduledTask | Where-Object {$_.TaskPath -notlike '\Microsoft\*'} | Select TaskName,TaskPath,@{N='RunAs';E={$_.Principal.UserId}} — flag any tasks running as SYSTEM or admin accounts not in the approved baseline. (3) Audit MFA configuration changes in Azure AD via the Audit Log filtered on 'Update user' and 'Delete authentication method' operations during the breach window. (4) Use osquery (free) to verify firewall rule state on all corporate hosts: SELECT * FROM iptables WHERE chain='INPUT' AND action='ACCEPT' — compare against your documented baseline.
Preserve Evidence
Before declaring recovery complete, preserve: (1) Firewall rule export (show running-config or equivalent) from all perimeter and internal segmentation devices — timestamped post-incident — to establish that no rules were added by the threat actor to facilitate OT access; (2) Windows Security Event Log Event ID 4720 (User Account Created) and 4732 (Member Added to Security-Enabled Local Group) from all domain controllers covering the full dwell period — ShinyHunters may have established backdoor accounts for re-entry; (3) Azure AD audit log entries for 'Update authentication methods' and 'Disable strong authentication' operations — threat actors modifying MFA registrations is a documented ShinyHunters persistence technique; (4) Hash verification of scheduled task XML definitions in C:\Windows\System32\Tasks\ against a known-good baseline to detect backdoored tasks.
5
Post-Incident: Conduct a credential hygiene audit across all corporate systems; ShinyHunters consistently exploits credential reuse and weak authentication. Review cloud storage bucket permissions and access logging configurations. Evaluate HIPAA Breach Risk Assessment obligations under 45 CFR 164.402 for all affected PII categories. Assess SEC 8-K disclosure timeline requirements under 17 CFR 249.308. Brief legal and compliance on the dual HIPAA/SEC regulatory exposure before public statements.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-8 (Incident Response Plan)
NIST IR-5 (Incident Monitoring)
NIST AU-11 (Audit Record Retention)
NIST SI-2 (Flaw Remediation)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 3.2 (Establish and Maintain a Data Inventory)
Compensating Control
For credential hygiene audit without enterprise tooling: (1) Run Have I Been Pwned API checks (free tier, haveibeenpwned.com/API/v3) against corporate email domains to identify accounts with credentials in known breach corpora — ShinyHunters actively uses credential stuffing from prior breach datasets. (2) Audit S3 bucket logging gaps: aws s3api get-bucket-logging --bucket <name> for every bucket; any bucket returning an empty LoggingEnabled block had no access logs during the breach — document these for the HIPAA risk assessment as a data access uncertainty. (3) Use ScoutSuite (open source, GitHub: nccgroup/ScoutSuite) to generate a cloud security posture report across AWS/Azure/GCP — produces HTML evidence suitable for compliance documentation without a commercial CSPM tool.
Preserve Evidence
Preserve for regulatory and legal hold: (1) Complete AWS CloudTrail event history for the 90-day window before discovery — this is the primary evidence base for the HIPAA Breach Risk Assessment's 'probability that PHI was compromised' analysis under 45 CFR 164.402; (2) Data classification inventory mapping which S3 buckets, SharePoint libraries, or database exports contained the 9 million PII records ShinyHunters claims — required to determine which HIPAA covered data categories (name, DOB, SSN, health information) were exposed and to scope the SEC materiality determination; (3) ShinyHunters extortion communications (screenshots, email headers, dark web post archives) — preserve with timestamps and chain of custody for law enforcement referral and to support the SEC 8-K timeline reconstruction; (4) Network flow records showing total exfiltration volume and destination IPs — required to substantiate or refute the 'terabytes of internal data' claim for both HIPAA risk assessment and SEC materiality analysis; (5) Pre-incident and post-incident MFA enrollment rates and IAM policy exports — demonstrates due diligence posture for HHS OCR investigation and SEC disclosure context.
Recovery Guidance
Post-containment, enforce a 90-day enhanced monitoring period on all corporate IT authentication systems, with daily review of AWS CloudTrail and Azure AD sign-in logs for any credential usage patterns matching the pre-discovery anomalies — ShinyHunters has demonstrated re-entry into insufficiently remediated environments in prior campaigns (e.g., Snowflake customer breaches, 2024). Validate cloud storage bucket permissions quarterly against a hardened baseline and confirm server-side logging is active on all buckets storing PII before any regulatory reporting is finalized. Treat the absence of confirmed OT/clinical impact as a segmentation assumption requiring active validation — commission a dedicated firewall rule and network flow audit by a third party before closing the OT scope question.
Key Forensic Artifacts
AWS CloudTrail Data Events for s3:GetObject and s3:ListBucket across all PII-holding buckets — sequential bulk GetObject calls within compressed time windows are the primary forensic signature of ShinyHunters-style cloud storage exfiltration and will establish both the scope of records accessed and the exfiltration timeline.
Azure Active Directory Unified Audit Log entries for FileAccessed, MailItemsAccessed, and UserLoggedIn operations — combined with impossible-travel analysis on source IPs, these establish the identity of compromised accounts and the breadth of PII categories accessed across SharePoint, OneDrive, and Exchange Online.
Email gateway delivery and quarantine logs (MX header chains, sender reputation scores, attachment SHA-256 hashes) for the 60-90 days preceding discovery — ShinyHunters has historically initiated corporate intrusions via credential phishing, and this log set identifies the initial access vector and earliest known compromise date for HIPAA breach timeline calculations.
Windows Security Event Log Event IDs 4624, 4648, 4720, and 4732 on all domain controllers — these establish lateral movement paths, backdoor account creation, and privilege escalation activity during the dwell period between initial access and detection, directly supporting the HIPAA risk assessment's 'scope of compromise' determination.
NetFlow or firewall session logs showing session volume (bytes transferred) per external destination IP during the suspected exfiltration window — this is the primary evidence for substantiating or refuting ShinyHunters' 'terabytes of internal data' claim, required for both HIPAA breach risk assessment and SEC materiality analysis under 17 CFR 249.308.
Detection Guidance
Priority detection focus: Valid Accounts abuse (T1078 ) and cloud data exfiltration (T1530 , T1567 ).
Query authentication logs for accounts logging in from new geolocations, at unusual hours, or accessing large volumes of files in short windows.
In cloud environments (AWS CloudTrail, Azure Monitor, GCP Audit Logs), search for GetObject, CopyObject, or ListBucket calls at volume from user accounts rather than service roles, particularly outside business hours.
Look for bulk downloads from SharePoint, OneDrive, or internal data repositories (T1213 ). For exfiltration detection: alert on large outbound transfers to non-corporate SaaS endpoints or public cloud storage URLs. Review web proxy and DLP logs for uploads to file-sharing services. ShinyHunters has historically used legitimate cloud infrastructure for staging, so destination reputation alone is insufficient; volume and timing anomalies are more reliable signals. No public IOCs (IPs, domains, file hashes) have been confirmed by Medtronic or law enforcement as of available reporting. Treat any IOCs circulating in third-party reporting as MEDIUM confidence until officially confirmed.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 domain
Type Value Enrichment Context Conf.
⌘ DOMAIN
No confirmed IOCs available
VT
US
No IPs, domains, hashes, or URLs have been officially confirmed by Medtronic or law enforcement as of available reporting. Do not treat unverified third-party IOC claims as confirmed.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (3)
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Ransomware activity
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileRenamed"
| where FileName endswith_any (".encrypted", ".locked", ".crypto", ".crypt", ".enc", ".ransom")
| summarize RenamedFiles = count() by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where RenamedFiles > 20
| sort by RenamedFiles desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "No confirmed IOCs available",
"source": "SCC Threat Intel",
"description": "No IPs, domains, hashes, or URLs have been officially confirmed by Medtronic or law enforcement as of available reporting. Do not treat unverified third-party IOC claims as confirmed.",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-27T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1078
T1567
T1530
T1041
T1657
T1486
+3
AC-2
AC-6
IA-2
IA-5
CA-7
SC-7
+8
A01:2021
A04:2021
A07:2021
164.312(a)(1)
164.308(a)(5)(ii)(D)
164.312(d)
MITRE ATT&CK Mapping
T1078
Valid Accounts
defense-evasion
T1567
Exfiltration Over Web Service
exfiltration
T1530
Data from Cloud Storage
collection
T1041
Exfiltration Over C2 Channel
exfiltration
T1657
Financial Theft
impact
T1486
Data Encrypted for Impact
impact
T1083
File and Directory Discovery
discovery
T1213
Data from Information Repositories
collection
T1566
Phishing
initial-access
Guidance Disclaimer
