Suspicious activity

AWS user created from Tor IP address

Risk Level

Imminent Compromised (2)



Orca detected that a new AWS user was created from a tor IP address - {MaliciousIp.MaliciousIp}, the operation was successful. This action may indicate of a presence of an unauthorized actor in the cloud environment. An attacker with an initial foothold, might try to create a new user to ensure a persistence access to the cloud environment.
  • Recommended Mitigation

    It is recommended to review the permissions which were used to make this api call. In addition, review the actions of the created user and remove it if it is possible.