T1087.003 Sumo Logic CSE · Sumo

Detect Email Account in Sumo Logic CSE

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session. Threat actors including Magic Hound, TA505, RedCurl, and Sandworm Team have leveraged this technique using tools like MailSniper, Ruler, and custom malware to harvest email account information for reconnaissance, phishing, and lateral movement.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Sub-technique
T1087.003 Email Account
Canonical reference
https://attack.mitre.org/techniques/T1087/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="*Windows*Sysmon*" OR _sourceCategory="*Windows*Security*")
| where EventCode = "1" OR EventCode = "4688"
| toLowerCase(CommandLine) as cmd_lower
| where cmd_lower matches "*get-globaladdresslist*"
   OR cmd_lower matches "*get-addresslist*"
   OR cmd_lower matches "*get-offlineaddressbook*"
   OR cmd_lower matches "*get-recipient*"
   OR cmd_lower matches "*get-mailuser*"
   OR cmd_lower matches "*get-mailbox*"
   OR cmd_lower matches "*mailsniper*"
   OR cmd_lower matches "*invoke-globalo365passwordspray*"
   OR cmd_lower matches "*invoke-selfsearch*"
   OR cmd_lower matches "*invoke-passwordsprayowa*"
   OR cmd_lower matches "*invoke-passwordsprayews*"
   OR cmd_lower matches "*connect-exchangeonline*"
   OR cmd_lower matches "*exchangemanagementshell*"
   OR cmd_lower matches "*outlook.office365.com*"
   OR (cmd_lower matches "*ruler*" AND (cmd_lower matches "*gal*" OR cmd_lower matches "*dump*" OR cmd_lower matches "*enum*" OR cmd_lower matches "*brute*"))
   OR (cmd_lower matches "*ldap*" AND (cmd_lower matches "*proxyaddresses*" OR cmd_lower matches "*targetaddress*" OR cmd_lower matches "*msexch*"))
| if(cmd_lower matches "*get-globaladdresslist*" OR cmd_lower matches "*get-addresslist*" OR cmd_lower matches "*get-offlineaddressbook*" OR cmd_lower matches "*get-recipient*" OR cmd_lower matches "*get-mailuser*" OR cmd_lower matches "*get-mailbox*", "YES", "NO") as GAL_Cmdlet
| if(cmd_lower matches "*mailsniper*" OR cmd_lower matches "*invoke-globalo365passwordspray*" OR cmd_lower matches "*invoke-selfsearch*" OR cmd_lower matches "*invoke-passwordsprayowa*" OR cmd_lower matches "*invoke-passwordsprayews*", "YES", "NO") as MailSniper
| if(cmd_lower matches "*connect-exchangeonline*" OR cmd_lower matches "*exchangemanagementshell*" OR cmd_lower matches "*outlook.office365.com*", "YES", "NO") as Exchange_Remote
| if(cmd_lower matches "*ruler*" AND (cmd_lower matches "*gal*" OR cmd_lower matches "*dump*" OR cmd_lower matches "*enum*"), "YES", "NO") as Ruler_Tool
| if(cmd_lower matches "*ldap*" AND (cmd_lower matches "*proxyaddresses*" OR cmd_lower matches "*targetaddress*" OR cmd_lower matches "*msexch*"), "YES", "NO") as LDAP_Email
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, GAL_Cmdlet, MailSniper, Exchange_Remote, Ruler_Tool, LDAP_Email
| sort by _time desc
high severity high confidence

Detects T1087.003 email account enumeration by searching Sumo Logic ingested Windows Sysmon (EventCode 1) and Windows Security (EventCode 4688) process creation events. Normalises CommandLine to lowercase and applies pattern matching for Exchange GAL enumeration cmdlets, MailSniper toolkit signatures, Exchange Online session strings, Ruler tool GAL dumping arguments, and LDAP queries targeting Exchange-specific Active Directory email attributes. Enriches each alert with per-category YES/NO flags to accelerate analyst triage. Source category patterns must be adjusted to match the customer's Sumo Logic collection configuration.

Data Sources

Windows Sysmon logs collected via Sumo Logic Installed Collector (EventCode 1 — Process Create)Windows Security Event Log collected via Sumo Logic Installed Collector (EventCode 4688 with command-line auditing enabled)

Required Tables

_sourceCategory matching Windows Sysmon data (adjust glob to match deployment naming convention)_sourceCategory matching Windows Security Event Log dataFields required: EventCode, CommandLine, Image, ParentImage, ParentCommandLine, Computer, User

False Positives & Tuning

  • Exchange Online administrators executing scheduled Get-Mailbox, Get-GlobalAddressList, or Get-Recipient scripts for address book maintenance, license auditing, or compliance reporting under change management approval
  • Third-party identity governance platforms (SailPoint IdentityNow, Varonis DatAdvantage, Okta Workflows) that invoke Exchange PowerShell cmdlets as part of access review campaigns or entitlement certifications
  • IT helpdesk PowerShell runbooks that call Get-Recipient or Get-MailUser to validate email address existence or routing during ticket resolution workflows
  • Authorised penetration testing or red team exercises using MailSniper or Ruler under documented scope with known source host ranges
Download portable Sigma rule (.yml)

Other platforms for T1087.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Get-GlobalAddressList via PowerShell (Exchange Online)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList', 'Connect-ExchangeOnline', and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 with the full enumeration script. If connection succeeds, Sysmon Event ID 3 showing network connection to outlook.office365.com:443. Sysmon Event ID 11 for gal_output.csv file creation in %TEMP%.

  2. Test 2MailSniper Get-GlobalAddressList Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList' and '-ExecutionPolicy Bypass'. PowerShell ScriptBlock Log Event ID 4104 with the simulated MailSniper command syntax.

  3. Test 3LDAP Query for Email Attributes

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'DirectorySearcher', 'mail', and 'proxyAddresses'. Sysmon Event ID 3: Network connection to domain controller on port 389 (LDAP) or 636 (LDAPS). PowerShell ScriptBlock Log Event ID 4104 with the full LDAP query. Sysmon Event ID 11 for ldap_emails.txt creation.

  4. Test 4Non-Outlook Process Accessing Outlook PST File

    Expected signal: Sysmon Event ID 11: File Create/Access events for any .pst or .ost files found, with InitiatingProcess=powershell.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe accessing Outlook profile directory. PowerShell ScriptBlock Log Event ID 4104 with the PST enumeration code.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1087.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1087Account Discovery

Related Sub-techniques

T1087.001Local AccountT1087.002Domain AccountT1087.004Cloud Account

Related Techniques

T1087Account DiscoveryT1087.002Domain AccountT1114Email CollectionT1114.002Remote Email CollectionT1566PhishingT1078Valid AccountsT1059.001PowerShellT1110.003Password SprayingT1071.001Web Protocols

Same Tactic: Discovery

Popular Detections