T1087.003 CrowdStrike LogScale · LogScale

Detect Email Account in CrowdStrike LogScale

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session. Threat actors including Magic Hound, TA505, RedCurl, and Sandworm Team have leveraged this technique using tools like MailSniper, Ruler, and custom malware to harvest email account information for reconnaissance, phishing, and lateral movement.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Sub-technique
T1087.003 Email Account
Canonical reference
https://attack.mitre.org/techniques/T1087/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| FileName=/(?i)(powershell|pwsh)\.exe/
| CommandLine=/(?i)(get-globaladdresslist|get-addresslist|get-offlineaddressbook|get-recipient|get-mailuser|get-mailbox|mailsniper|invoke-globalo365passwordspray|invoke-selfsearch|invoke-passwordsprayowa|invoke-passwordsprayews|connect-exchangeonline|exchangemanagementshell|outlook\.office365\.com|ruler.{0,30}(?:gal|dump|enum|brute)|ldap.{0,200}(?:proxyaddresses|targetaddress|msexch))/
| case {
    CommandLine=/(?i)(get-globaladdresslist|get-addresslist|get-offlineaddressbook|get-recipient|get-mailuser|get-mailbox)/ |
      DetectionCategory := "GAL_Cmdlet" ;
    CommandLine=/(?i)(mailsniper|invoke-globalo365passwordspray|invoke-selfsearch|invoke-passwordsprayowa|invoke-passwordsprayews)/ |
      DetectionCategory := "MailSniper" ;
    CommandLine=/(?i)(connect-exchangeonline|exchangemanagementshell|outlook\.office365\.com)/ |
      DetectionCategory := "Exchange_Remote" ;
    CommandLine=/(?i)ruler.{0,30}(?:gal|dump|enum|brute)/ |
      DetectionCategory := "Ruler_Tool" ;
    CommandLine=/(?i)ldap.{0,200}(?:proxyaddresses|targetaddress|msexch)/ |
      DetectionCategory := "LDAP_Email" ;
    * | DetectionCategory := "Multiple_Match"
  }
| table(
    [timestamp, ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine, DetectionCategory,
     TargetProcessId, ContextProcessId]
  )
| sort(timestamp, order=desc)
high severity high confidence

Detects T1087.003 email account enumeration in CrowdStrike Falcon EDR telemetry by querying ProcessRollup2 events where PowerShell (powershell.exe or pwsh.exe) executes with command lines matching Exchange GAL enumeration cmdlets, MailSniper toolkit function names, Exchange Online remote session strings, Ruler tool GAL dumping arguments, or LDAP queries referencing Exchange-specific AD email attributes (proxyAddresses, targetAddress, msExch*). The case block categorises each match into a DetectionCategory field (GAL_Cmdlet, MailSniper, Exchange_Remote, Ruler_Tool, LDAP_Email) to accelerate analyst triage. The LDAP pattern uses a .{0,200} lookahead to allow for varying command-line argument ordering. Requires Falcon sensor with full process command-line capture enabled.

Data Sources

CrowdStrike Falcon EDR sensor (Windows endpoint)Falcon LogScale (formerly Humio) as the query engineCrowdStrike ProcessRollup2 telemetry stream (full process command-line capture must be enabled in sensor policy)

Required Tables

ProcessRollup2 events (#event_simpleName=ProcessRollup2)Fields: FileName (process image name), CommandLine (full command line), ComputerName, UserName, ParentBaseFileName, ParentCommandLine, TargetProcessId, ContextProcessId

False Positives & Tuning

  • Exchange Online administrators using the ExchangeOnlineManagement PowerShell module from authorised management workstations for routine operations such as bulk mailbox moves, distribution list audits, or GAL rebuilds — particularly common during M365 tenant migrations or consolidations
  • IT service desk PowerShell runbooks that invoke Get-MailUser or Get-Recipient to validate email existence or resolve delivery failures as part of automated ticketing system integrations (ServiceNow, Jira Service Management)
  • Third-party Microsoft 365 management tools (CodeTwo, SkyKick, Veeam Backup for M365, Barracuda) that authenticate via Exchange Online PowerShell to perform backup, policy enforcement, or archiving tasks on scheduled intervals
  • Developer or DevOps engineers running Exchange cmdlets on developer workstations as part of integration testing, CI/CD pipeline smoke tests, or local debugging of Exchange-integrated applications
Download portable Sigma rule (.yml)

Other platforms for T1087.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Get-GlobalAddressList via PowerShell (Exchange Online)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList', 'Connect-ExchangeOnline', and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 with the full enumeration script. If connection succeeds, Sysmon Event ID 3 showing network connection to outlook.office365.com:443. Sysmon Event ID 11 for gal_output.csv file creation in %TEMP%.

  2. Test 2MailSniper Get-GlobalAddressList Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList' and '-ExecutionPolicy Bypass'. PowerShell ScriptBlock Log Event ID 4104 with the simulated MailSniper command syntax.

  3. Test 3LDAP Query for Email Attributes

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'DirectorySearcher', 'mail', and 'proxyAddresses'. Sysmon Event ID 3: Network connection to domain controller on port 389 (LDAP) or 636 (LDAPS). PowerShell ScriptBlock Log Event ID 4104 with the full LDAP query. Sysmon Event ID 11 for ldap_emails.txt creation.

  4. Test 4Non-Outlook Process Accessing Outlook PST File

    Expected signal: Sysmon Event ID 11: File Create/Access events for any .pst or .ost files found, with InitiatingProcess=powershell.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe accessing Outlook profile directory. PowerShell ScriptBlock Log Event ID 4104 with the PST enumeration code.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1087.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1087Account Discovery

Related Sub-techniques

T1087.001Local AccountT1087.002Domain AccountT1087.004Cloud Account

Related Techniques

T1087Account DiscoveryT1087.002Domain AccountT1114Email CollectionT1114.002Remote Email CollectionT1566PhishingT1078Valid AccountsT1059.001PowerShellT1110.003Password SprayingT1071.001Web Protocols

Same Tactic: Discovery

Popular Detections