Detect Email Account in Splunk
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session. Threat actors including Magic Hound, TA505, RedCurl, and Sandworm Team have leveraged this technique using tools like MailSniper, Ruler, and custom malware to harvest email account information for reconnaissance, phishing, and lateral movement.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Sub-technique
- T1087.003 Email Account
- Canonical reference
- https://attack.mitre.org/techniques/T1087/003/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval is_process_event=if((sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1) OR (sourcetype="WinEventLog:Security" AND EventCode=4688), 1, 0)
| where is_process_event=1
| eval CommandLine=coalesce(CommandLine, Process_Command_Line)
| eval Image=coalesce(Image, New_Process_Name)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval is_powershell=if(match(ImageLower, "(powershell\.exe|pwsh\.exe)"), 1, 0)
| eval GAL_Cmdlet=if(match(CommandLineLower, "(get-globaladdresslist|get-addresslist|get-offlineaddressbook|get-recipient|get-mailuser|get-mailbox)"), 1, 0)
| eval MailSniper=if(match(CommandLineLower, "(mailsniper|invoke-globalo365passwordspray|invoke-selfsearch|invoke-passwordsprayowa|invoke-passwordsprayews)"), 1, 0)
| eval Exchange_Remote=if(match(CommandLineLower, "(new-pssession.*exchange|connect-exchangeonline|exchangemanagementshell|outlook\.office365\.com)"), 1, 0)
| eval LDAP_Email=if(match(CommandLineLower, "(ldap.*(mail|proxyaddresses|targetaddress|msexch)|mail.*ldap|proxyaddresses.*ldap)"), 1, 0)
| eval Ruler_Tool=if(match(CommandLineLower, "(ruler.*brute|ruler.*dump|ruler.*enum|ruler.*gal)"), 1, 0)
| eval SuspicionScore=GAL_Cmdlet + MailSniper + Exchange_Remote + LDAP_Email + Ruler_Tool
| where (is_powershell=1 AND SuspicionScore > 0) OR MailSniper=1 OR Ruler_Tool=1
| eval DetectionCategories=mvappend(
if(GAL_Cmdlet=1, "GAL_Cmdlet", null()),
if(MailSniper=1, "MailSniper", null()),
if(Exchange_Remote=1, "Exchange_Remote_Session", null()),
if(LDAP_Email=1, "LDAP_Email_Query", null()),
if(Ruler_Tool=1, "Ruler_Tool", null())
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
GAL_Cmdlet, MailSniper, Exchange_Remote, LDAP_Email, Ruler_Tool,
SuspicionScore, DetectionCategories
| sort - _timeDetects email account enumeration using Sysmon Event ID 1 (Process Creation) and Security Event ID 4688. Evaluates command lines for Exchange address list cmdlets (Get-GlobalAddressList, Get-Mailbox, Get-Recipient), MailSniper tool patterns, Exchange Online remote session creation, LDAP queries targeting email attributes, and Ruler tool command patterns. Assigns a suspicion score to prioritize alerts with multiple indicators. Covers techniques used by Magic Hound, TA505, and tools like MailSniper and Ruler.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Exchange administrators legitimately running Get-GlobalAddressList or Get-Recipient cmdlets for address book management or auditing
- Email migration tools (MigrationWiz, Bit Titan) accessing address lists during migration projects
- Backup software accessing Outlook data files or querying address lists as part of scheduled jobs
- IT helpdesk automation scripts using Exchange PowerShell for user mailbox troubleshooting
- Third-party GAL synchronization tools in hybrid Exchange environments
Other platforms for T1087.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Get-GlobalAddressList via PowerShell (Exchange Online)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList', 'Connect-ExchangeOnline', and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 with the full enumeration script. If connection succeeds, Sysmon Event ID 3 showing network connection to outlook.office365.com:443. Sysmon Event ID 11 for gal_output.csv file creation in %TEMP%.
- Test 2MailSniper Get-GlobalAddressList Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList' and '-ExecutionPolicy Bypass'. PowerShell ScriptBlock Log Event ID 4104 with the simulated MailSniper command syntax.
- Test 3LDAP Query for Email Attributes
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'DirectorySearcher', 'mail', and 'proxyAddresses'. Sysmon Event ID 3: Network connection to domain controller on port 389 (LDAP) or 636 (LDAPS). PowerShell ScriptBlock Log Event ID 4104 with the full LDAP query. Sysmon Event ID 11 for ldap_emails.txt creation.
- Test 4Non-Outlook Process Accessing Outlook PST File
Expected signal: Sysmon Event ID 11: File Create/Access events for any .pst or .ost files found, with InitiatingProcess=powershell.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe accessing Outlook profile directory. PowerShell ScriptBlock Log Event ID 4104 with the PST enumeration code.
References (12)
- https://attack.mitre.org/techniques/T1087/003/
- https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
- https://docs.microsoft.com/en-us/powershell/module/exchange/get-globaladdresslist
- https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists
- https://support.google.com/a/answer/166870?hl=en
- https://github.com/dafthack/MailSniper
- https://github.com/sensepost/ruler
- https://www.trendmicro.com/en_us/research/19/f/latest-spam-campaigns-from-ta505-now-use-ecuador-and-hong-kong-themed-ddl-files.html
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
- https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.003/T1087.003.md
Unlock Pro Content
Get the full detection package for T1087.003 including response playbook, investigation guide, and atomic red team tests.