T1585

Establish Accounts

This detection identifies observable indicators of adversary account establishment activity within the target environment — specifically inbound communications from newly created or privacy-focused email accounts targeting multiple employees, suspicious authentication attempts from externally established personas, and endpoint connections to account creation infrastructure. Since T1585 is a PRE-ATT&CK technique occurring outside the victim network, detections focus on the downstream effects: spearphishing precursor activity from zero-history email accounts, bulk contact campaigns from free/disposable email providers, and network telemetry showing corporate endpoints researching persona-associated platforms. Coverage spans all three sub-techniques: social media (T1585.001), email (T1585.002), and cloud account (T1585.003) establishment.

Microsoft Sentinel / Defender

kusto

let PrivacyEmailDomains = dynamic([
    "protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
    "cock.li", "disroot.org", "riseup.net", "mailfence.com",
    "guerrillamail.com", "temp-mail.org", "mailinator.com",
    "10minutemail.com", "throwam.com", "yopmail.com"
]);
let SuspiciousFreeProviders = dynamic([
    "gmail.com", "yahoo.com", "hotmail.com", "outlook.com",
    "live.com", "icloud.com", "aol.com"
]);
let LookbackDays = 14d;
EmailEvents
| where TimeGenerated > ago(LookbackDays)
| where DeliveryAction in ("Delivered", "Junked", "Blocked")
| where EmailDirection == "Inbound"
| extend SenderDomain = tolower(tostring(split(SenderFromAddress, "@")[1]))
| where SenderDomain in~ (PrivacyEmailDomains) or SenderDomain in~ (SuspiciousFreeProviders)
| summarize
    EmailCount = count(),
    TargetedUsers = dcount(RecipientEmailAddress),
    TargetedRecipients = make_set(RecipientEmailAddress, 10),
    AttachmentEmails = countif(AttachmentCount > 0),
    LinkEmails = countif(UrlCount > 0),
    DeliveredCount = countif(DeliveryAction == "Delivered"),
    JunkedCount = countif(DeliveryAction == "Junked"),
    SampleSubjects = make_set(Subject, 5),
    FirstContact = min(TimeGenerated),
    LastContact = max(TimeGenerated)
    by SenderFromAddress, SenderDomain
| extend
    CampaignDurationHours = datetime_diff("hour", LastContact, FirstContact),
    IsPrivacyProvider = SenderDomain in~ (PrivacyEmailDomains),
    IsFreeProvider = SenderDomain in~ (SuspiciousFreeProviders)
| extend RiskScore =
    // Multi-target contact is a strong signal
    case(TargetedUsers >= 10, 40, TargetedUsers >= 5, 25, TargetedUsers >= 2, 10, 0)
    // Privacy/anonymous providers weighted higher
    + case(IsPrivacyProvider, 25, IsFreeProvider and TargetedUsers >= 3, 15, 0)
    // Attachment-bearing emails increase risk
    + case(AttachmentEmails >= 3, 20, AttachmentEmails >= 1, 10, 0)
    // Link-only campaigns (credential harvest setup)
    + case(LinkEmails >= 5 and AttachmentEmails == 0, 15, LinkEmails >= 2, 8, 0)
    // Burst pattern within short window
    + case(EmailCount >= 5 and CampaignDurationHours <= 2, 15, 0)
| where RiskScore >= 25
| project
    TimeGenerated = FirstContact,
    SenderFromAddress,
    SenderDomain,
    IsPrivacyProvider,
    EmailCount,
    TargetedUsers,
    TargetedRecipients,
    AttachmentEmails,
    LinkEmails,
    DeliveredCount,
    JunkedCount,
    CampaignDurationHours,
    SampleSubjects,
    RiskScore,
    LastContact
| order by RiskScore desc

medium severity medium confidence

Data Sources

Microsoft Defender for Office 365

Required Tables

EmailEvents

False Positives

Legitimate mass newsletters or marketing emails from Gmail/Yahoo senders — filter by adding known sender domains to allowlist
Corporate recruitment contacts from candidates using personal email accounts targeting HR or hiring managers
External security researchers or vendors using ProtonMail for legitimate privacy reasons contacting security teams
Conference or event organizers using free email providers sending bulk invitations to multiple employees

Splunk

spl

index=email OR index=mail_logs sourcetype IN ("ms:o365:management", "exchange:message_tracking", "postfix:syslog", "proofpoint:mail")
| search direction="inbound" OR MessageDirection="Inbound" OR message_direction="inbound"
| eval sender_address=coalesce(sender, SenderAddress, from_address, "unknown")
| eval sender_domain=lower(replace(sender_address, ".*@", ""))
| eval is_privacy_provider=if(match(sender_domain, "protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|yopmail\.com"), 1, 0)
| eval is_free_provider=if(match(sender_domain, "gmail\.com|yahoo\.com|hotmail\.com|outlook\.com|live\.com|icloud\.com|aol\.com"), 1, 0)
| where is_privacy_provider=1 OR is_free_provider=1
| eval recipient=coalesce(recipient, RecipientAddress, to_address, "unknown")
| eval has_attachment=if(match(coalesce(attachment_names, AttachmentNames, ""), ".+"), 1, 0)
| eval has_link=if(match(coalesce(url_count, UrlCount, "0"), "[1-9]"), 1, 0)
| eval delivery_status=coalesce(DeliveryAction, delivery_action, MessageStatus, "unknown")
| stats
    count AS email_count,
    dc(recipient) AS targeted_users,
    values(recipient) AS recipient_list,
    sum(has_attachment) AS attachment_emails,
    sum(has_link) AS link_emails,
    values(subject) AS sample_subjects,
    min(_time) AS first_contact,
    max(_time) AS last_contact,
    max(is_privacy_provider) AS is_privacy_provider
    by sender_address, sender_domain
| eval campaign_duration_hours=round((last_contact - first_contact) / 3600, 1)
| eval risk_score=0
| eval risk_score=risk_score + case(targeted_users >= 10, 40, targeted_users >= 5, 25, targeted_users >= 2, 10, true(), 0)
| eval risk_score=risk_score + case(is_privacy_provider=1, 25, targeted_users >= 3, 15, true(), 0)
| eval risk_score=risk_score + case(attachment_emails >= 3, 20, attachment_emails >= 1, 10, true(), 0)
| eval risk_score=risk_score + case(link_emails >= 5 AND attachment_emails=0, 15, link_emails >= 2, 8, true(), 0)
| eval risk_score=risk_score + case(email_count >= 5 AND campaign_duration_hours <= 2, 15, true(), 0)
| where risk_score >= 25
| eval first_contact_time=strftime(first_contact, "%Y-%m-%d %H:%M:%S")
| eval last_contact_time=strftime(last_contact, "%Y-%m-%d %H:%M:%S")
| table first_contact_time, sender_address, sender_domain, is_privacy_provider, email_count, targeted_users, recipient_list, attachment_emails, link_emails, campaign_duration_hours, sample_subjects, risk_score
| sort - risk_score

medium severity medium confidence

Data Sources

Microsoft 365 Management Logs Exchange Message Tracking Proofpoint Email Gateway

Required Sourcetypes

ms:o365:management exchange:message_tracking

False Positives

Legitimate bulk notifications from SaaS vendors or third-party services using free email infrastructure
Job applicants or external collaborators contacting multiple employees from personal Gmail/Yahoo accounts
Security awareness testing platforms sending simulated phishing from free email domains
Open source community contributors using ProtonMail contacting engineering teams about vulnerability disclosures

Elastic Security (EQL)

eql

any where event.category == "email" and
  email.direction == "inbound" and
  (
    email.from.address like "*@protonmail.com" or email.from.address like "*@proton.me" or
    email.from.address like "*@tutanota.com" or email.from.address like "*@tutamail.com" or
    email.from.address like "*@cock.li" or email.from.address like "*@disroot.org" or
    email.from.address like "*@riseup.net" or email.from.address like "*@mailfence.com" or
    email.from.address like "*@guerrillamail.com" or email.from.address like "*@temp-mail.org" or
    email.from.address like "*@mailinator.com" or email.from.address like "*@10minutemail.com" or
    email.from.address like "*@throwam.com" or email.from.address like "*@yopmail.com" or
    email.from.address like "*@gmail.com" or email.from.address like "*@yahoo.com" or
    email.from.address like "*@hotmail.com" or email.from.address like "*@outlook.com" or
    email.from.address like "*@live.com" or email.from.address like "*@icloud.com" or
    email.from.address like "*@aol.com"
  )

/* Deploy as an Elastic threshold rule:
   Group by: email.from.address
   Threshold: count >= 3 AND count_distinct(email.to.address) >= 2
   Time window: 24h
   For full risk-scored aggregation use ES|QL:
   FROM logs-email*
   | WHERE event.category == "email" AND email.direction == "inbound"
   | EVAL sender_domain = TO_LOWER(SPLIT(email.from.address, "@")[1])
   | EVAL is_privacy = CASE(sender_domain IN ("protonmail.com","proton.me","tutanota.com","tutamail.com","cock.li","disroot.org","riseup.net","mailfence.com","guerrillamail.com","temp-mail.org","mailinator.com","yopmail.com"), 1, 0)
   | EVAL is_free = CASE(sender_domain IN ("gmail.com","yahoo.com","hotmail.com","outlook.com","live.com","icloud.com","aol.com"), 1, 0)
   | WHERE is_privacy == 1 OR is_free == 1
   | STATS email_count = COUNT(*), targeted_users = COUNT_DISTINCT(email.to.address), attachment_emails = COUNT_DISTINCT(CASE(array_length(email.attachments.name) > 0, email.metadata.message_id, null)), first_contact = MIN(@timestamp), last_contact = MAX(@timestamp), is_privacy_provider = MAX(is_privacy) BY email.from.address, sender_domain
   | EVAL campaign_duration_hours = DATE_DIFF("hours", first_contact, last_contact)
   | EVAL risk_score = CASE(targeted_users >= 10, 40, targeted_users >= 5, 25, targeted_users >= 2, 10, 0) + CASE(is_privacy_provider == 1, 25, targeted_users >= 3, 15, 0) + CASE(attachment_emails >= 3, 20, attachment_emails >= 1, 10, 0) + CASE(email_count >= 5 AND campaign_duration_hours <= 2, 15, 0)
   | WHERE risk_score >= 25
   | SORT risk_score DESC
*/

medium severity medium confidence

Data Sources

Microsoft Defender for Office 365 via Elastic O365 module Proofpoint Email Protection via Filebeat Proofpoint module Mimecast via Elastic integration Google Workspace Gmail via Elastic Google Workspace module

Required Tables

logs-email* logs-o365* logs-google_workspace*

False Positives

Legitimate SMB vendors or contractors who use personal Gmail or Outlook accounts as their primary business email contacting multiple employees about a project or proposal
Job applicants submitting CVs from personal email accounts to HR, where internal forwarding to multiple reviewers inflates the recipient count per external sender
Security awareness phishing simulation platforms that route test campaigns through privacy provider relay addresses — coordinate with the red team to whitelist campaign sender infrastructure before tuning thresholds

IBM QRadar (AQL)

sql

SELECT
    "Email Sender" AS sender_address,
    LOWER(SUBSTRING("Email Sender", LOCATE('@', "Email Sender") + 1, LENGTH("Email Sender"))) AS sender_domain,
    COUNT(*) AS email_count,
    COUNT(DISTINCT "Email Recipient") AS targeted_users,
    SUM(CASE WHEN "Email Has Attachment" ILIKE 'true' OR LONG(COALESCE("Attachment Count", '0')) > 0 THEN 1 ELSE 0 END) AS attachment_emails,
    SUM(CASE WHEN LONG(COALESCE("URL Count", '0')) > 0 THEN 1 ELSE 0 END) AS link_emails,
    DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS first_contact,
    DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS last_contact,
    ROUND((LONG(MAX(starttime)) - LONG(MIN(starttime))) / 3600, 1) AS campaign_duration_hours,
    CASE WHEN LOWER(SUBSTRING("Email Sender", LOCATE('@', "Email Sender") + 1, LENGTH("Email Sender"))) IN
         ('protonmail.com','proton.me','tutanota.com','tutamail.com','cock.li',
          'disroot.org','riseup.net','mailfence.com','guerrillamail.com',
          'temp-mail.org','mailinator.com','10minutemail.com','throwam.com','yopmail.com')
    THEN 1 ELSE 0 END AS is_privacy_provider,
    LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
    LOGSOURCETYPEID IN (143, 352, 387, 433)
    AND (
        "Email Direction" ILIKE 'inbound'
        OR "Message Direction" ILIKE 'inbound'
        OR devicedirection = 1
    )
    AND starttime >= DATEADD('day', -14, now())
    AND (
        "Email Sender" ILIKE '%@protonmail.com'
        OR "Email Sender" ILIKE '%@proton.me'
        OR "Email Sender" ILIKE '%@tutanota.com'
        OR "Email Sender" ILIKE '%@tutamail.com'
        OR "Email Sender" ILIKE '%@cock.li'
        OR "Email Sender" ILIKE '%@disroot.org'
        OR "Email Sender" ILIKE '%@riseup.net'
        OR "Email Sender" ILIKE '%@mailfence.com'
        OR "Email Sender" ILIKE '%@guerrillamail.com'
        OR "Email Sender" ILIKE '%@temp-mail.org'
        OR "Email Sender" ILIKE '%@mailinator.com'
        OR "Email Sender" ILIKE '%@10minutemail.com'
        OR "Email Sender" ILIKE '%@throwam.com'
        OR "Email Sender" ILIKE '%@yopmail.com'
        OR "Email Sender" ILIKE '%@gmail.com'
        OR "Email Sender" ILIKE '%@yahoo.com'
        OR "Email Sender" ILIKE '%@hotmail.com'
        OR "Email Sender" ILIKE '%@outlook.com'
        OR "Email Sender" ILIKE '%@live.com'
        OR "Email Sender" ILIKE '%@icloud.com'
        OR "Email Sender" ILIKE '%@aol.com'
    )
GROUP BY
    sender_address, sender_domain, is_privacy_provider, log_source
HAVING
    COUNT(*) >= 2
    AND COUNT(DISTINCT "Email Recipient") >= 2
    AND (
        COUNT(DISTINCT "Email Recipient") >= 10
        OR (COUNT(DISTINCT "Email Recipient") >= 5 AND COUNT(*) >= 3)
        OR (
            LOWER(SUBSTRING("Email Sender", LOCATE('@', "Email Sender") + 1, LENGTH("Email Sender"))) IN
            ('protonmail.com','proton.me','tutanota.com','tutamail.com','cock.li','disroot.org',
             'riseup.net','mailfence.com','guerrillamail.com','temp-mail.org','mailinator.com','yopmail.com')
            AND COUNT(DISTINCT "Email Recipient") >= 2
        )
    )
ORDER BY targeted_users DESC

medium severity medium confidence

Data Sources

Microsoft Exchange Server Microsoft Office 365 Management Activity API Proofpoint Protection Server Mimecast Secure Email Gateway

Required Tables

events

False Positives

Bulk recruitment outreach from talent acquisition platforms routing through Gmail or Outlook relay addresses, contacting multiple hiring managers simultaneously within the HAVING threshold window
Automated SaaS notification services that send operational alerts from a fixed free-provider address to multiple on-call or ops team recipients on a recurring schedule
External newsletter subscriptions forwarded internally via an email gateway rule, causing one external sender address to appear to target multiple internal recipients within a short burst window

Sumo Logic CSE

sql

_sourceCategory=email* OR _sourceCategory=mail_gateway* OR _sourceCategory=o365*
| parse regex "(?:SenderAddress|sender|from_address|From)\s*[=:\"]+\s*(?<sender_address>[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})" nodrop
| parse regex "(?:RecipientAddress|recipient|to_address|To)\s*[=:\"]+\s*(?<recipient>[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})" nodrop
| parse regex "(?:MessageDirection|direction|DeliveryAction)\s*[=:\"]+\s*(?<email_direction>[a-zA-Z]+)" nodrop
| where email_direction matches "(?i)inbound"
| parse regex field=sender_address "@(?<sender_domain>[a-zA-Z0-9.\-]+)$" nodrop
| toLowerCase sender_domain
| where sender_domain in ("protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
    "cock.li", "disroot.org", "riseup.net", "mailfence.com",
    "guerrillamail.com", "temp-mail.org", "mailinator.com",
    "10minutemail.com", "throwam.com", "yopmail.com",
    "gmail.com", "yahoo.com", "hotmail.com", "outlook.com",
    "live.com", "icloud.com", "aol.com")
| parse regex "(?:AttachmentCount|attachment_count|has_attachment)\s*[=:\"]+\s*(?<attach_raw>[0-9a-zA-Z]+)" nodrop
| eval has_attachment = if (attach_raw matches "[1-9][0-9]*" or attach_raw matches "(?i)true", 1, 0)
| eval is_privacy_provider = if (sender_domain in (
    "protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
    "cock.li", "disroot.org", "riseup.net", "mailfence.com",
    "guerrillamail.com", "temp-mail.org", "mailinator.com", "yopmail.com"), 1, 0)
| count as email_count, count_distinct(recipient) as targeted_users,
    sum(has_attachment) as attachment_emails,
    min(_messagetime) as first_contact_ms, max(_messagetime) as last_contact_ms,
    max(is_privacy_provider) as is_privacy_provider
    by sender_address, sender_domain
| eval campaign_duration_hours = round((last_contact_ms - first_contact_ms) / 3600000, 1)
| eval rs_targets = if (targeted_users >= 10, 40, if (targeted_users >= 5, 25, if (targeted_users >= 2, 10, 0)))
| eval rs_provider = if (is_privacy_provider == 1, 25, if (targeted_users >= 3, 15, 0))
| eval rs_attach = if (attachment_emails >= 3, 20, if (attachment_emails >= 1, 10, 0))
| eval rs_burst = if (email_count >= 5 and campaign_duration_hours <= 2, 15, 0)
| eval risk_score = rs_targets + rs_provider + rs_attach + rs_burst
| where risk_score >= 25
| eval first_contact = formatDate(toLong(first_contact_ms), "yyyy-MM-dd HH:mm:ss")
| eval last_contact = formatDate(toLong(last_contact_ms), "yyyy-MM-dd HH:mm:ss")
| fields sender_address, sender_domain, is_privacy_provider, email_count, targeted_users,
    attachment_emails, campaign_duration_hours, risk_score, first_contact, last_contact
| sort by risk_score desc

medium severity medium confidence

Data Sources

Microsoft Office 365 Management Activity via Sumo Logic O365 App Microsoft Exchange message tracking logs via Sumo Logic installed collector Proofpoint on Demand via Sumo Logic Proofpoint App Postfix/Sendmail syslog via Sumo Logic syslog collector

Required Tables

_sourceCategory=email* _sourceCategory=mail_gateway* _sourceCategory=o365*

False Positives

B2B partners or freelancers who exclusively use personal Gmail or ProtonMail accounts for business correspondence and regularly email multiple stakeholders within the same organisation
Subscription confirmation or double-opt-in workflows where one external service address delivers messages to multiple internal test accounts during QA — particularly if your team uses shared recipient aliases that expand to individual mailboxes
Penetration test or red team email campaigns using privacy providers to simulate spearphishing — validate with the security team calendar before adjusting thresholds

Google Chronicle / SecOps

yaral

rule t1585_establish_accounts_email_campaign {
  meta:
    author = "Detection Engineering"
    description = "Detects inbound multi-recipient email campaigns from privacy-focused or free email providers as T1585 Establish Accounts precursor activity"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585, T1585.001, T1585.002, T1585.003"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1585/"

  events:
    $email.metadata.event_type = "EMAIL_TRANSACTION"
    $email.network.direction = "INBOUND"
    (
      re.regex($email.network.email.from,
        `@(protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|10minutemail\.com|throwam\.com|yopmail\.com)$`)
      or
      re.regex($email.network.email.from,
        `@(gmail\.com|yahoo\.com|hotmail\.com|outlook\.com|live\.com|icloud\.com|aol\.com)$`)
    )
    $sender = $email.network.email.from
    $recipient = $email.network.email.to

  match:
    $sender over 24h

  outcome:
    $email_count = count_distinct($email.metadata.id)
    $targeted_users = count_distinct($recipient)
    $has_attachment = max(
      if($email.network.email.subject != "" and
         strings.count($email.network.email.full_headers, "Content-Disposition: attachment") > 0, 1, 0)
    )
    $is_privacy_provider = max(
      if(re.regex($sender,
        `@(protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|yopmail\.com)$`), 1, 0)
    )
    $risk_score = (
      if($targeted_users >= 10, 40, if($targeted_users >= 5, 25, if($targeted_users >= 2, 10, 0)))
      + if($is_privacy_provider == 1, 25, if($targeted_users >= 3, 15, 0))
      + if($has_attachment == 1, 10, 0)
      + if($email_count >= 5, 15, 0)
    )

  condition:
    #email >= 3 and
    $targeted_users >= 2 and
    $risk_score >= 25
}

medium severity medium confidence

Data Sources

Google Workspace Gmail via Chronicle Google Workspace parser Microsoft Office 365 via Chronicle O365 UDM parser Proofpoint Email Protection via Chronicle Proofpoint parser Mimecast Email Security via Chronicle Mimecast parser

Required Tables

UDM EMAIL_TRANSACTION events

False Positives

Internal employee communications relayed through personal Gmail accounts when corporate email is unavailable — e.g. during an outage where employees BCC multiple colleagues from personal accounts
Third-party marketing automation platforms that send on behalf of a client using a Gmail relay address, contacting multiple recipients in your organisation as part of a legitimate campaign you opted into
Anonymous tip or whistleblower submissions from ProtonMail or Tutanota accounts sent to multiple contact addresses within the organisation — consider adding a HR/legal mailbox exclusion to the recipient filter

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale — requires email security logs ingested via Falcon for Email
// or a third-party email gateway integration (Proofpoint, Mimecast, O365)
// Field names assume O365/Exchange normalized schema; adjust for your integration

#repo = "email" OR sourcetype = "email" OR #event_simpleName = "EmailDeliveryEvent"
| direction = "Inbound" OR MessageDirection = "Inbound" OR direction = "inbound"
| regex("@(?P<sender_domain>[a-zA-Z0-9.\\-]+)$", field=SenderAddress, strict=false)
| sender_domain := lower(sender_domain)
| is_privacy_provider := if(
    sender_domain in ("protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
                      "cock.li", "disroot.org", "riseup.net", "mailfence.com",
                      "guerrillamail.com", "temp-mail.org", "mailinator.com",
                      "10minutemail.com", "throwam.com", "yopmail.com"),
    "true", "false"
  )
| is_free_provider := if(
    sender_domain in ("gmail.com", "yahoo.com", "hotmail.com", "outlook.com",
                      "live.com", "icloud.com", "aol.com"),
    "true", "false"
  )
| is_privacy_provider = "true" OR is_free_provider = "true"
| recipient_field := coalesce(RecipientAddress, recipient, ToAddress)
| attach_flag := if(coalesce(AttachmentCount, "0") != "0" AND coalesce(AttachmentCount, "0") != "", 1, 0)
| groupBy(
    [SenderAddress, sender_domain, is_privacy_provider],
    function=[
      count(as=email_count),
      count(recipient_field, distinct=true, as=targeted_users),
      sum(attach_flag, as=attachment_emails),
      min(@timestamp, as=first_contact_ms),
      max(@timestamp, as=last_contact_ms)
    ]
  )
| campaign_duration_hours := (last_contact_ms - first_contact_ms) / 3600000
| campaign_duration_hours := round(campaign_duration_hours, 1)
| rs_targets := case {
    targeted_users >= 10 | 40;
    targeted_users >= 5  | 25;
    targeted_users >= 2  | 10;
    *                    | 0
  }
| rs_provider := case {
    is_privacy_provider = "true"          | 25;
    targeted_users >= 3                   | 15;
    *                                     | 0
  }
| rs_attach := case {
    attachment_emails >= 3 | 20;
    attachment_emails >= 1 | 10;
    *                      | 0
  }
| rs_burst := case {
    email_count >= 5 AND campaign_duration_hours <= 2 | 15;
    *                                                 | 0
  }
| risk_score := rs_targets + rs_provider + rs_attach + rs_burst
| risk_score >= 25
| first_contact := formatTime("%Y-%m-%d %H:%M:%S", field=first_contact_ms, timezone="UTC")
| last_contact := formatTime("%Y-%m-%d %H:%M:%S", field=last_contact_ms, timezone="UTC")
| select([SenderAddress, sender_domain, is_privacy_provider, email_count, targeted_users,
          attachment_emails, campaign_duration_hours, risk_score, first_contact, last_contact])
| sort(field=risk_score, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon for Email Microsoft Office 365 via Azure Event Hub to LogScale Proofpoint Email Protection via LogScale integration Mimecast Email Security via LogScale SIEM connector

Required Tables

email repository or any LogScale repo ingesting email gateway events

False Positives

Sales or business development teams who receive high-volume contact campaigns from prospects using Gmail addresses — particularly SDR outreach sequences that contact multiple sales team members in rapid succession
Automated CI/CD or DevOps notification systems that relay build alerts or deployment notices from a Gmail-based service account to multiple engineering team members in a burst pattern
External audit or compliance firms conducting due diligence who contact multiple internal contacts from a ProtonMail address for privacy reasons — a pattern that mirrors the threat actor behaviour but is benign

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1585 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Establish Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Resource Development

Popular Detections