T1087.003 IBM QRadar · QRadar

Detect Email Account in IBM QRadar

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session. Threat actors including Magic Hound, TA505, RedCurl, and Sandworm Team have leveraged this technique using tools like MailSniper, Ruler, and custom malware to harvest email account information for reconnaissance, phishing, and lateral movement.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Sub-technique
T1087.003 Email Account
Canonical reference
https://attack.mitre.org/techniques/T1087/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS source_ip,
  username,
  QIDNAME(qid) AS event_name,
  "Process CommandLine" AS command_line,
  "Parent CommandLine" AS parent_command_line,
  "Process Image" AS process_image,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 311, 357)
  AND "EventID" IN ('1', '4688')
  AND (
    LOWER("Process CommandLine") LIKE '%get-globaladdresslist%'
    OR LOWER("Process CommandLine") LIKE '%get-addresslist%'
    OR LOWER("Process CommandLine") LIKE '%get-offlineaddressbook%'
    OR LOWER("Process CommandLine") LIKE '%get-recipient%'
    OR LOWER("Process CommandLine") LIKE '%get-mailuser%'
    OR LOWER("Process CommandLine") LIKE '%get-mailbox%'
    OR LOWER("Process CommandLine") LIKE '%mailsniper%'
    OR LOWER("Process CommandLine") LIKE '%invoke-globalo365passwordspray%'
    OR LOWER("Process CommandLine") LIKE '%invoke-selfsearch%'
    OR LOWER("Process CommandLine") LIKE '%invoke-passwordsprayowa%'
    OR LOWER("Process CommandLine") LIKE '%invoke-passwordsprayews%'
    OR LOWER("Process CommandLine") LIKE '%connect-exchangeonline%'
    OR LOWER("Process CommandLine") LIKE '%exchangemanagementshell%'
    OR LOWER("Process CommandLine") LIKE '%outlook.office365.com%'
    OR (
      LOWER("Process CommandLine") LIKE '%ruler%'
      AND (
        LOWER("Process CommandLine") LIKE '%gal%'
        OR LOWER("Process CommandLine") LIKE '%dump%'
        OR LOWER("Process CommandLine") LIKE '%enum%'
        OR LOWER("Process CommandLine") LIKE '%brute%'
      )
    )
    OR (
      LOWER("Process CommandLine") LIKE '%ldap%'
      AND (
        LOWER("Process CommandLine") LIKE '%proxyaddresses%'
        OR LOWER("Process CommandLine") LIKE '%targetaddress%'
        OR LOWER("Process CommandLine") LIKE '%msexch%'
      )
    )
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC
high severity medium confidence

Detects T1087.003 email account enumeration by querying QRadar normalized events from Windows Security (EventID 4688) and Sysmon (EventID 1) process creation log sources. Matches against Exchange GAL enumeration cmdlets, MailSniper toolkit strings, Exchange Online connection patterns, Ruler tool arguments, and LDAP queries targeting email-specific Active Directory attributes. Requires custom event properties for Process CommandLine and Parent CommandLine to be mapped in QRadar's DSM configuration. LOGSOURCETYPEID 12 = Windows Security Event Log, 311 = Sysmon, 357 = Windows Event Log generic.

Data Sources

Microsoft Windows Security Event Log (LOGSOURCETYPEID 12) with process creation auditing enabledMicrosoft Sysmon forwarded to QRadar (LOGSOURCETYPEID 311, EventID 1)Microsoft Windows Event Log generic (LOGSOURCETYPEID 357)

Required Tables

events (QRadar normalized event store)Custom QRadar DSM property: 'Process CommandLine' extracted from EventID 4688 field 'Process Command Line' or Sysmon field 'CommandLine'Custom QRadar DSM property: 'Parent CommandLine' extracted from Sysmon ParentCommandLine fieldCustom QRadar DSM property: 'Process Image' extracted from EventID 4688 New_Process_Name or Sysmon Image field

False Positives & Tuning

  • Exchange administrators running scheduled PowerShell scripts for GAL exports, mailbox reporting, distribution list management, or compliance-driven address book audits that are part of documented IT change requests
  • Automated provisioning systems (ServiceNow, SailPoint, Saviynt, Active Roles) that invoke Exchange PowerShell cmdlets as part of joiner-mover-leaver identity lifecycle workflows triggered at onboarding or offboarding
  • Email archiving and eDiscovery compliance tools using Exchange Web Services or PowerShell to query mailboxes and address lists for legal hold or GDPR-driven data export requests
  • Help desk automation that calls Get-MailUser or Get-Recipient to resolve email routing issues or verify mailbox existence during ticket handling
Download portable Sigma rule (.yml)

Other platforms for T1087.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Get-GlobalAddressList via PowerShell (Exchange Online)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList', 'Connect-ExchangeOnline', and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 with the full enumeration script. If connection succeeds, Sysmon Event ID 3 showing network connection to outlook.office365.com:443. Sysmon Event ID 11 for gal_output.csv file creation in %TEMP%.

  2. Test 2MailSniper Get-GlobalAddressList Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList' and '-ExecutionPolicy Bypass'. PowerShell ScriptBlock Log Event ID 4104 with the simulated MailSniper command syntax.

  3. Test 3LDAP Query for Email Attributes

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'DirectorySearcher', 'mail', and 'proxyAddresses'. Sysmon Event ID 3: Network connection to domain controller on port 389 (LDAP) or 636 (LDAPS). PowerShell ScriptBlock Log Event ID 4104 with the full LDAP query. Sysmon Event ID 11 for ldap_emails.txt creation.

  4. Test 4Non-Outlook Process Accessing Outlook PST File

    Expected signal: Sysmon Event ID 11: File Create/Access events for any .pst or .ost files found, with InitiatingProcess=powershell.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe accessing Outlook profile directory. PowerShell ScriptBlock Log Event ID 4104 with the PST enumeration code.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1087.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1087Account Discovery

Related Sub-techniques

T1087.001Local AccountT1087.002Domain AccountT1087.004Cloud Account

Related Techniques

T1087Account DiscoveryT1087.002Domain AccountT1114Email CollectionT1114.002Remote Email CollectionT1566PhishingT1078Valid AccountsT1059.001PowerShellT1110.003Password SprayingT1071.001Web Protocols

Same Tactic: Discovery

Popular Detections