T1087.003 Google Chronicle · YARA-L

Detect Email Account in Google Chronicle

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session. Threat actors including Magic Hound, TA505, RedCurl, and Sandworm Team have leveraged this technique using tools like MailSniper, Ruler, and custom malware to harvest email account information for reconnaissance, phishing, and lateral movement.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Sub-technique
T1087.003 Email Account
Canonical reference
https://attack.mitre.org/techniques/T1087/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1087_003_email_account_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1087.003 Email Account enumeration via PowerShell GAL cmdlets, MailSniper toolkit, Exchange Online remote session establishment, Ruler tool GAL dumping, and LDAP queries targeting Exchange email attributes"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1087.003"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1087/003/"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)(powershell|pwsh)\.exe/
    (
      $e.target.process.command_line = /(?i)(get-globaladdresslist|get-addresslist|get-offlineaddressbook|get-recipient|get-mailuser|get-mailbox)/
      or
      $e.target.process.command_line = /(?i)(mailsniper|invoke-globalo365passwordspray|invoke-selfsearch|invoke-passwordsprayowa|invoke-passwordsprayews)/
      or
      $e.target.process.command_line = /(?i)(connect-exchangeonline|exchangemanagementshell|outlook\.office365\.com)/
      or
      $e.target.process.command_line = /(?i)ruler.{0,30}(gal|dump|enum|brute)/
      or
      (
        $e.target.process.command_line = /(?i)ldap/
        and
        $e.target.process.command_line = /(?i)(proxyaddresses|targetaddress|msexch)/
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 detection rule for T1087.003 email account enumeration. Fires on PROCESS_LAUNCH UDM events where the spawned process is PowerShell (powershell.exe or pwsh.exe) and the command line matches one or more of: Exchange GAL enumeration cmdlets (Get-GlobalAddressList, Get-Mailbox, Get-Recipient, etc.), MailSniper toolkit function invocations, Exchange Online remote session strings (Connect-ExchangeOnline, ExchangeManagementShell, outlook.office365.com), Ruler tool arguments targeting GAL or mailbox dumping, or LDAP query strings that also reference Exchange-specific email attributes (proxyAddresses, targetAddress, msExch*). Maps to MITRE ATT&CK Discovery tactic T1087.003. Source must be forwarded as UDM PROCESS_LAUNCH events from supported log sources (Sysmon, CrowdStrike, MDE, Windows Security).

Data Sources

Google Chronicle UDM ingestion from Windows Sysmon (via forwarder)Google Chronicle UDM ingestion from CrowdStrike Falcon (native integration)Google Chronicle UDM ingestion from Microsoft Defender for Endpoint (native integration)Google Chronicle UDM ingestion from Windows Security Event Log (via Google Cloud Chronicle forwarder or Bindplane)

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCHtarget.process.file.full_path (spawned process image full path)target.process.command_line (full command line of spawned process)principal.hostname (source workstation or server hostname)principal.user.userid (account executing the process)

False Positives & Tuning

  • Exchange administrators running Get-GlobalAddressList, Get-Mailbox, or Get-Recipient interactively or via scheduled task for legitimate mailbox management, GAL synchronisation, or compliance-driven address book exports that are part of approved change management
  • IT automation platforms (Ansible, Puppet, PowerShell DSC, Microsoft Endpoint Manager) executing Exchange management tasks via PowerShell as part of configuration management pipelines for user provisioning, group membership, or licence assignment
  • Authorised email migration projects (Microsoft FastTrack, BitTitan, Quest) where engineering teams use Exchange PowerShell to enumerate mailboxes and build migration batches as part of a tenant-to-tenant or on-premises-to-cloud migration
  • Security tooling or SIEM connectors using Exchange PowerShell to collect audit telemetry, DLP policy data, or mailbox access logs from Exchange Online as part of security monitoring integrations
Download portable Sigma rule (.yml)

Other platforms for T1087.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Get-GlobalAddressList via PowerShell (Exchange Online)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList', 'Connect-ExchangeOnline', and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 with the full enumeration script. If connection succeeds, Sysmon Event ID 3 showing network connection to outlook.office365.com:443. Sysmon Event ID 11 for gal_output.csv file creation in %TEMP%.

  2. Test 2MailSniper Get-GlobalAddressList Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList' and '-ExecutionPolicy Bypass'. PowerShell ScriptBlock Log Event ID 4104 with the simulated MailSniper command syntax.

  3. Test 3LDAP Query for Email Attributes

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'DirectorySearcher', 'mail', and 'proxyAddresses'. Sysmon Event ID 3: Network connection to domain controller on port 389 (LDAP) or 636 (LDAPS). PowerShell ScriptBlock Log Event ID 4104 with the full LDAP query. Sysmon Event ID 11 for ldap_emails.txt creation.

  4. Test 4Non-Outlook Process Accessing Outlook PST File

    Expected signal: Sysmon Event ID 11: File Create/Access events for any .pst or .ost files found, with InitiatingProcess=powershell.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe accessing Outlook profile directory. PowerShell ScriptBlock Log Event ID 4104 with the PST enumeration code.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1087.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1087Account Discovery

Related Sub-techniques

T1087.001Local AccountT1087.002Domain AccountT1087.004Cloud Account

Related Techniques

T1087Account DiscoveryT1087.002Domain AccountT1114Email CollectionT1114.002Remote Email CollectionT1566PhishingT1078Valid AccountsT1059.001PowerShellT1110.003Password SprayingT1071.001Web Protocols

Same Tactic: Discovery

Popular Detections