Detect Email Account in Microsoft Sentinel
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session. Threat actors including Magic Hound, TA505, RedCurl, and Sandworm Team have leveraged this technique using tools like MailSniper, Ruler, and custom malware to harvest email account information for reconnaissance, phishing, and lateral movement.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Sub-technique
- T1087.003 Email Account
- Canonical reference
- https://attack.mitre.org/techniques/T1087/003/
KQL Detection Query
let GALCmdlets = dynamic([
"Get-GlobalAddressList", "Get-AddressList", "Get-OfflineAddressBook",
"Get-Recipient", "Get-MailUser", "Get-Mailbox", "Get-GAL"
]);
let MailSniperPatterns = dynamic([
"MailSniper", "Invoke-GlobalO365PasswordSpray", "Get-GlobalAddressList",
"Invoke-SelfSearch", "Invoke-PasswordSprayOWA", "Invoke-PasswordSprayEWS"
]);
let OutlookPSTPatterns = dynamic([
".pst", ".ost", "OUTLOOK.EXE", "outlook.exe"
]);
// Detection 1: PowerShell GAL enumeration
let PSGALEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (GALCmdlets) or ProcessCommandLine has_any (MailSniperPatterns)
| extend DetectionType = "PowerShell_GAL_Enumeration"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: Exchange PowerShell remote session for address enumeration
let ExchangePSEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "ExchangeManagementShell" or
(ProcessCommandLine has "New-PSSession" and ProcessCommandLine has_any ("outlook", "exchange", "office365", "outlook.office365.com")) or
(ProcessCommandLine has "Connect-ExchangeOnline" and ProcessCommandLine has_any (GALCmdlets))
| extend DetectionType = "Exchange_Remote_Session_Enum"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 3: LDAP queries targeting email attributes
let LDAPEmailEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "LDAP" and
(ProcessCommandLine has "mail" or ProcessCommandLine has "proxyAddresses" or
ProcessCommandLine has "targetAddress" or ProcessCommandLine has "msExch")
| extend DetectionType = "LDAP_Email_Attribute_Query"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 4: Outlook PST/OST file access by non-Outlook processes
let OutlookFileEnum = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (".pst", ".ost")
| where not(InitiatingProcessFileName =~ "outlook.exe")
| where not(InitiatingProcessFileName in~ ("svchost.exe", "services.exe", "MicrosoftEdge.exe"))
| extend DetectionType = "Non_Outlook_PST_OST_Access"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
FileName = InitiatingProcessFileName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union PSGALEnum, ExchangePSEnum, LDAPEmailEnum, OutlookFileEnum
| sort by Timestamp descDetects email account enumeration attempts using multiple detection vectors: (1) PowerShell cmdlets targeting Exchange Global Address Lists including Get-GlobalAddressList, Get-Recipient, and Get-Mailbox; (2) Exchange Online remote PowerShell sessions used for address enumeration; (3) LDAP queries targeting email-specific attributes (mail, proxyAddresses, msExch*); (4) non-Outlook processes accessing Outlook PST/OST files which may indicate malware harvesting email addresses from local mail stores. Covers tools like MailSniper and Ruler used by threat actors including Magic Hound and TA505.
Data Sources
Required Tables
False Positives & Tuning
- Exchange administrators legitimately running Get-GlobalAddressList or Get-Recipient cmdlets for address book management or auditing
- Email migration tools (MigrationWiz, Bit Titan, IMAPMIG) accessing PST/OST files or querying address lists during migration projects
- Backup software (Veeam Backup for Microsoft 365, Barracuda) accessing Outlook data files as part of scheduled backup jobs
- IT helpdesk automation scripts using Exchange PowerShell to look up user mailbox information for troubleshooting
- Third-party GAL synchronization tools used in hybrid Exchange environments accessing address list data
Other platforms for T1087.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Get-GlobalAddressList via PowerShell (Exchange Online)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList', 'Connect-ExchangeOnline', and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 with the full enumeration script. If connection succeeds, Sysmon Event ID 3 showing network connection to outlook.office365.com:443. Sysmon Event ID 11 for gal_output.csv file creation in %TEMP%.
- Test 2MailSniper Get-GlobalAddressList Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList' and '-ExecutionPolicy Bypass'. PowerShell ScriptBlock Log Event ID 4104 with the simulated MailSniper command syntax.
- Test 3LDAP Query for Email Attributes
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'DirectorySearcher', 'mail', and 'proxyAddresses'. Sysmon Event ID 3: Network connection to domain controller on port 389 (LDAP) or 636 (LDAPS). PowerShell ScriptBlock Log Event ID 4104 with the full LDAP query. Sysmon Event ID 11 for ldap_emails.txt creation.
- Test 4Non-Outlook Process Accessing Outlook PST File
Expected signal: Sysmon Event ID 11: File Create/Access events for any .pst or .ost files found, with InitiatingProcess=powershell.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe accessing Outlook profile directory. PowerShell ScriptBlock Log Event ID 4104 with the PST enumeration code.
References (12)
- https://attack.mitre.org/techniques/T1087/003/
- https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
- https://docs.microsoft.com/en-us/powershell/module/exchange/get-globaladdresslist
- https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists
- https://support.google.com/a/answer/166870?hl=en
- https://github.com/dafthack/MailSniper
- https://github.com/sensepost/ruler
- https://www.trendmicro.com/en_us/research/19/f/latest-spam-campaigns-from-ta505-now-use-ecuador-and-hong-kong-themed-ddl-files.html
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
- https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.003/T1087.003.md
Unlock Pro Content
Get the full detection package for T1087.003 including response playbook, investigation guide, and atomic red team tests.