Which SIEM platforms have a T1585 detection rule?

df00tech provides T1585 (Establish Accounts) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Establish Accounts (T1585)?

Detecting Establish Accounts requires the following data sources: Microsoft Defender for Office 365.

What severity and confidence is the T1585 detection?

The T1585 detection is rated medium severity with medium confidence.

What are common false positives for T1585?

Common false positives for T1585 include: Legitimate mass newsletters or marketing emails from Gmail/Yahoo senders — filter by adding known sender domains to allowlist; Corporate recruitment contacts from candidates using personal email accounts targeting HR or hiring managers; External security researchers or vendors using ProtonMail for legitimate privacy reasons contacting security teams.

T1585

Establish Accounts

Resource Development Last updated: April 13, 2026

This detection identifies observable indicators of adversary account establishment activity within the target environment — specifically inbound communications from newly created or privacy-focused email accounts targeting multiple employees, suspicious authentication attempts from externally established personas, and endpoint connections to account creation infrastructure. Since T1585 is a PRE-ATT&CK technique occurring outside the victim network, detections focus on the downstream effects: spearphishing precursor activity from zero-history email accounts, bulk contact campaigns from free/disposable email providers, and network telemetry showing corporate endpoints researching persona-associated platforms. Coverage spans all three sub-techniques: social media (T1585.001), email (T1585.002), and cloud account (T1585.003) establishment.

What is T1585 Establish Accounts?

Establish Accounts (T1585) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.

This page provides production-ready detection logic for Establish Accounts, covering the data sources and telemetry it touches: Microsoft Defender for Office 365. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Resource Development
Technique: T1585 Establish Accounts
Canonical reference: https://attack.mitre.org/techniques/T1585/

Microsoft Sentinel / Defender

kusto

let PrivacyEmailDomains = dynamic([
    "protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
    "cock.li", "disroot.org", "riseup.net", "mailfence.com",
    "guerrillamail.com", "temp-mail.org", "mailinator.com",
    "10minutemail.com", "throwam.com", "yopmail.com"
]);
let SuspiciousFreeProviders = dynamic([
    "gmail.com", "yahoo.com", "hotmail.com", "outlook.com",
    "live.com", "icloud.com", "aol.com"
]);
let LookbackDays = 14d;
EmailEvents
| where TimeGenerated > ago(LookbackDays)
| where DeliveryAction in ("Delivered", "Junked", "Blocked")
| where EmailDirection == "Inbound"
| extend SenderDomain = tolower(tostring(split(SenderFromAddress, "@")[1]))
| where SenderDomain in~ (PrivacyEmailDomains) or SenderDomain in~ (SuspiciousFreeProviders)
| summarize
    EmailCount = count(),
    TargetedUsers = dcount(RecipientEmailAddress),
    TargetedRecipients = make_set(RecipientEmailAddress, 10),
    AttachmentEmails = countif(AttachmentCount > 0),
    LinkEmails = countif(UrlCount > 0),
    DeliveredCount = countif(DeliveryAction == "Delivered"),
    JunkedCount = countif(DeliveryAction == "Junked"),
    SampleSubjects = make_set(Subject, 5),
    FirstContact = min(TimeGenerated),
    LastContact = max(TimeGenerated)
    by SenderFromAddress, SenderDomain
| extend
    CampaignDurationHours = datetime_diff("hour", LastContact, FirstContact),
    IsPrivacyProvider = SenderDomain in~ (PrivacyEmailDomains),
    IsFreeProvider = SenderDomain in~ (SuspiciousFreeProviders)
| extend RiskScore =
    // Multi-target contact is a strong signal
    case(TargetedUsers >= 10, 40, TargetedUsers >= 5, 25, TargetedUsers >= 2, 10, 0)
    // Privacy/anonymous providers weighted higher
    + case(IsPrivacyProvider, 25, IsFreeProvider and TargetedUsers >= 3, 15, 0)
    // Attachment-bearing emails increase risk
    + case(AttachmentEmails >= 3, 20, AttachmentEmails >= 1, 10, 0)
    // Link-only campaigns (credential harvest setup)
    + case(LinkEmails >= 5 and AttachmentEmails == 0, 15, LinkEmails >= 2, 8, 0)
    // Burst pattern within short window
    + case(EmailCount >= 5 and CampaignDurationHours <= 2, 15, 0)
| where RiskScore >= 25
| project
    TimeGenerated = FirstContact,
    SenderFromAddress,
    SenderDomain,
    IsPrivacyProvider,
    EmailCount,
    TargetedUsers,
    TargetedRecipients,
    AttachmentEmails,
    LinkEmails,
    DeliveredCount,
    JunkedCount,
    CampaignDurationHours,
    SampleSubjects,
    RiskScore,
    LastContact
| order by RiskScore desc

Detects inbound email campaigns from privacy-focused or free email providers targeting multiple employees, a behavioral signature of adversary persona-based spearphishing precursor activity. Scores risk based on provider type, number of targeted users, presence of attachments or links, and burst timing patterns consistent with automated persona-driven contact campaigns.

medium severity medium confidence

Data Sources

Microsoft Defender for Office 365

Required Tables

EmailEvents

False Positives

Legitimate mass newsletters or marketing emails from Gmail/Yahoo senders — filter by adding known sender domains to allowlist
Corporate recruitment contacts from candidates using personal email accounts targeting HR or hiring managers
External security researchers or vendors using ProtonMail for legitimate privacy reasons contacting security teams
Conference or event organizers using free email providers sending bulk invitations to multiple employees

Splunk

spl

index=email OR index=mail_logs sourcetype IN ("ms:o365:management", "exchange:message_tracking", "postfix:syslog", "proofpoint:mail")
| search direction="inbound" OR MessageDirection="Inbound" OR message_direction="inbound"
| eval sender_address=coalesce(sender, SenderAddress, from_address, "unknown")
| eval sender_domain=lower(replace(sender_address, ".*@", ""))
| eval is_privacy_provider=if(match(sender_domain, "protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|yopmail\.com"), 1, 0)
| eval is_free_provider=if(match(sender_domain, "gmail\.com|yahoo\.com|hotmail\.com|outlook\.com|live\.com|icloud\.com|aol\.com"), 1, 0)
| where is_privacy_provider=1 OR is_free_provider=1
| eval recipient=coalesce(recipient, RecipientAddress, to_address, "unknown")
| eval has_attachment=if(match(coalesce(attachment_names, AttachmentNames, ""), ".+"), 1, 0)
| eval has_link=if(match(coalesce(url_count, UrlCount, "0"), "[1-9]"), 1, 0)
| eval delivery_status=coalesce(DeliveryAction, delivery_action, MessageStatus, "unknown")
| stats
    count AS email_count,
    dc(recipient) AS targeted_users,
    values(recipient) AS recipient_list,
    sum(has_attachment) AS attachment_emails,
    sum(has_link) AS link_emails,
    values(subject) AS sample_subjects,
    min(_time) AS first_contact,
    max(_time) AS last_contact,
    max(is_privacy_provider) AS is_privacy_provider
    by sender_address, sender_domain
| eval campaign_duration_hours=round((last_contact - first_contact) / 3600, 1)
| eval risk_score=0
| eval risk_score=risk_score + case(targeted_users >= 10, 40, targeted_users >= 5, 25, targeted_users >= 2, 10, true(), 0)
| eval risk_score=risk_score + case(is_privacy_provider=1, 25, targeted_users >= 3, 15, true(), 0)
| eval risk_score=risk_score + case(attachment_emails >= 3, 20, attachment_emails >= 1, 10, true(), 0)
| eval risk_score=risk_score + case(link_emails >= 5 AND attachment_emails=0, 15, link_emails >= 2, 8, true(), 0)
| eval risk_score=risk_score + case(email_count >= 5 AND campaign_duration_hours <= 2, 15, true(), 0)
| where risk_score >= 25
| eval first_contact_time=strftime(first_contact, "%Y-%m-%d %H:%M:%S")
| eval last_contact_time=strftime(last_contact, "%Y-%m-%d %H:%M:%S")
| table first_contact_time, sender_address, sender_domain, is_privacy_provider, email_count, targeted_users, recipient_list, attachment_emails, link_emails, campaign_duration_hours, sample_subjects, risk_score
| sort - risk_score

Detects inbound email campaigns from privacy-focused or free email providers targeting multiple internal recipients. Correlates sender domain type, recipient count, attachment/link presence, and burst timing to score persona-based contact campaigns consistent with T1585 account establishment precursor activity.

medium severity medium confidence

Data Sources

Microsoft 365 Management Logs Exchange Message Tracking Proofpoint Email Gateway

Required Sourcetypes

ms:o365:management exchange:message_tracking

False Positives

Legitimate bulk notifications from SaaS vendors or third-party services using free email infrastructure
Job applicants or external collaborators contacting multiple employees from personal Gmail/Yahoo accounts
Security awareness testing platforms sending simulated phishing from free email domains
Open source community contributors using ProtonMail contacting engineering teams about vulnerability disclosures

Elastic Security (EQL)

eql

any where event.category == "email" and
  email.direction == "inbound" and
  (
    email.from.address like "*@protonmail.com" or email.from.address like "*@proton.me" or
    email.from.address like "*@tutanota.com" or email.from.address like "*@tutamail.com" or
    email.from.address like "*@cock.li" or email.from.address like "*@disroot.org" or
    email.from.address like "*@riseup.net" or email.from.address like "*@mailfence.com" or
    email.from.address like "*@guerrillamail.com" or email.from.address like "*@temp-mail.org" or
    email.from.address like "*@mailinator.com" or email.from.address like "*@10minutemail.com" or
    email.from.address like "*@throwam.com" or email.from.address like "*@yopmail.com" or
    email.from.address like "*@gmail.com" or email.from.address like "*@yahoo.com" or
    email.from.address like "*@hotmail.com" or email.from.address like "*@outlook.com" or
    email.from.address like "*@live.com" or email.from.address like "*@icloud.com" or
    email.from.address like "*@aol.com"
  )

/* Deploy as an Elastic threshold rule:
   Group by: email.from.address
   Threshold: count >= 3 AND count_distinct(email.to.address) >= 2
   Time window: 24h
   For full risk-scored aggregation use ES|QL:
   FROM logs-email*
   | WHERE event.category == "email" AND email.direction == "inbound"
   | EVAL sender_domain = TO_LOWER(SPLIT(email.from.address, "@")[1])
   | EVAL is_privacy = CASE(sender_domain IN ("protonmail.com","proton.me","tutanota.com","tutamail.com","cock.li","disroot.org","riseup.net","mailfence.com","guerrillamail.com","temp-mail.org","mailinator.com","yopmail.com"), 1, 0)
   | EVAL is_free = CASE(sender_domain IN ("gmail.com","yahoo.com","hotmail.com","outlook.com","live.com","icloud.com","aol.com"), 1, 0)
   | WHERE is_privacy == 1 OR is_free == 1
   | STATS email_count = COUNT(*), targeted_users = COUNT_DISTINCT(email.to.address), attachment_emails = COUNT_DISTINCT(CASE(array_length(email.attachments.name) > 0, email.metadata.message_id, null)), first_contact = MIN(@timestamp), last_contact = MAX(@timestamp), is_privacy_provider = MAX(is_privacy) BY email.from.address, sender_domain
   | EVAL campaign_duration_hours = DATE_DIFF("hours", first_contact, last_contact)
   | EVAL risk_score = CASE(targeted_users >= 10, 40, targeted_users >= 5, 25, targeted_users >= 2, 10, 0) + CASE(is_privacy_provider == 1, 25, targeted_users >= 3, 15, 0) + CASE(attachment_emails >= 3, 20, attachment_emails >= 1, 10, 0) + CASE(email_count >= 5 AND campaign_duration_hours <= 2, 15, 0)
   | WHERE risk_score >= 25
   | SORT risk_score DESC
*/

Detects inbound multi-recipient email campaigns from privacy-focused (ProtonMail, Tutanota, etc.) or free consumer email providers (Gmail, Yahoo, etc.) as indicators of T1585 Establish Accounts precursor activity. The EQL query is designed as a threshold rule base filter — configure with group-by email.from.address, threshold count >= 3, and count_distinct(email.to.address) >= 2 over 24h to enforce the multi-recipient signal. Full risk scoring with the same weighted algorithm as the KQL/SPL queries is provided as an ES|QL comment block for deployments using Elastic 8.11+ with ES|QL support. Requires email logs ingested via Elastic Filebeat (O365 module, Proofpoint module) or a compatible email security integration that populates ECS email.* fields.

medium severity medium confidence

Data Sources

Microsoft Defender for Office 365 via Elastic O365 module Proofpoint Email Protection via Filebeat Proofpoint module Mimecast via Elastic integration Google Workspace Gmail via Elastic Google Workspace module

Required Tables

logs-email* logs-o365* logs-google_workspace*

False Positives

Legitimate SMB vendors or contractors who use personal Gmail or Outlook accounts as their primary business email contacting multiple employees about a project or proposal
Job applicants submitting CVs from personal email accounts to HR, where internal forwarding to multiple reviewers inflates the recipient count per external sender
Security awareness phishing simulation platforms that route test campaigns through privacy provider relay addresses — coordinate with the red team to whitelist campaign sender infrastructure before tuning thresholds

IBM QRadar (AQL)

sql

SELECT
    "Email Sender" AS sender_address,
    LOWER(SUBSTRING("Email Sender", LOCATE('@', "Email Sender") + 1, LENGTH("Email Sender"))) AS sender_domain,
    COUNT(*) AS email_count,
    COUNT(DISTINCT "Email Recipient") AS targeted_users,
    SUM(CASE WHEN "Email Has Attachment" ILIKE 'true' OR LONG(COALESCE("Attachment Count", '0')) > 0 THEN 1 ELSE 0 END) AS attachment_emails,
    SUM(CASE WHEN LONG(COALESCE("URL Count", '0')) > 0 THEN 1 ELSE 0 END) AS link_emails,
    DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS first_contact,
    DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS last_contact,
    ROUND((LONG(MAX(starttime)) - LONG(MIN(starttime))) / 3600, 1) AS campaign_duration_hours,
    CASE WHEN LOWER(SUBSTRING("Email Sender", LOCATE('@', "Email Sender") + 1, LENGTH("Email Sender"))) IN
         ('protonmail.com','proton.me','tutanota.com','tutamail.com','cock.li',
          'disroot.org','riseup.net','mailfence.com','guerrillamail.com',
          'temp-mail.org','mailinator.com','10minutemail.com','throwam.com','yopmail.com')
    THEN 1 ELSE 0 END AS is_privacy_provider,
    LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
    LOGSOURCETYPEID IN (143, 352, 387, 433)
    AND (
        "Email Direction" ILIKE 'inbound'
        OR "Message Direction" ILIKE 'inbound'
        OR devicedirection = 1
    )
    AND starttime >= DATEADD('day', -14, now())
    AND (
        "Email Sender" ILIKE '%@protonmail.com'
        OR "Email Sender" ILIKE '%@proton.me'
        OR "Email Sender" ILIKE '%@tutanota.com'
        OR "Email Sender" ILIKE '%@tutamail.com'
        OR "Email Sender" ILIKE '%@cock.li'
        OR "Email Sender" ILIKE '%@disroot.org'
        OR "Email Sender" ILIKE '%@riseup.net'
        OR "Email Sender" ILIKE '%@mailfence.com'
        OR "Email Sender" ILIKE '%@guerrillamail.com'
        OR "Email Sender" ILIKE '%@temp-mail.org'
        OR "Email Sender" ILIKE '%@mailinator.com'
        OR "Email Sender" ILIKE '%@10minutemail.com'
        OR "Email Sender" ILIKE '%@throwam.com'
        OR "Email Sender" ILIKE '%@yopmail.com'
        OR "Email Sender" ILIKE '%@gmail.com'
        OR "Email Sender" ILIKE '%@yahoo.com'
        OR "Email Sender" ILIKE '%@hotmail.com'
        OR "Email Sender" ILIKE '%@outlook.com'
        OR "Email Sender" ILIKE '%@live.com'
        OR "Email Sender" ILIKE '%@icloud.com'
        OR "Email Sender" ILIKE '%@aol.com'
    )
GROUP BY
    sender_address, sender_domain, is_privacy_provider, log_source
HAVING
    COUNT(*) >= 2
    AND COUNT(DISTINCT "Email Recipient") >= 2
    AND (
        COUNT(DISTINCT "Email Recipient") >= 10
        OR (COUNT(DISTINCT "Email Recipient") >= 5 AND COUNT(*) >= 3)
        OR (
            LOWER(SUBSTRING("Email Sender", LOCATE('@', "Email Sender") + 1, LENGTH("Email Sender"))) IN
            ('protonmail.com','proton.me','tutanota.com','tutamail.com','cock.li','disroot.org',
             'riseup.net','mailfence.com','guerrillamail.com','temp-mail.org','mailinator.com','yopmail.com')
            AND COUNT(DISTINCT "Email Recipient") >= 2
        )
    )
ORDER BY targeted_users DESC

QRadar AQL detection for inbound multi-recipient email campaigns from privacy or free email providers over a 14-day lookback window. LOGSOURCETYPEID values target Microsoft Exchange (143), Microsoft Office 365 (352), Proofpoint Protection Server (387), and Mimecast (433) — verify actual IDs in your QRadar deployment via Admin > Log Source Management. Custom Event Properties 'Email Sender', 'Email Recipient', 'Email Direction', 'Email Has Attachment', 'URL Count', and 'Attachment Count' must be defined and mapped via DSM Editor or Log Source Extension. The HAVING clause encodes the key thresholds from the risk scoring model: privacy provider + 2+ recipients, or 5+ recipients from any provider, or 10+ recipients unconditionally. For full per-event risk scoring, chain this base query into a QRadar Custom Rule or Rule Response Limiter that applies the weighted score logic.

medium severity medium confidence

Data Sources

Microsoft Exchange Server Microsoft Office 365 Management Activity API Proofpoint Protection Server Mimecast Secure Email Gateway

Required Tables

events

False Positives

Bulk recruitment outreach from talent acquisition platforms routing through Gmail or Outlook relay addresses, contacting multiple hiring managers simultaneously within the HAVING threshold window
Automated SaaS notification services that send operational alerts from a fixed free-provider address to multiple on-call or ops team recipients on a recurring schedule
External newsletter subscriptions forwarded internally via an email gateway rule, causing one external sender address to appear to target multiple internal recipients within a short burst window

Sumo Logic CSE

sql

_sourceCategory=email* OR _sourceCategory=mail_gateway* OR _sourceCategory=o365*
| parse regex "(?:SenderAddress|sender|from_address|From)\s*[=:\"]+\s*(?<sender_address>[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})" nodrop
| parse regex "(?:RecipientAddress|recipient|to_address|To)\s*[=:\"]+\s*(?<recipient>[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})" nodrop
| parse regex "(?:MessageDirection|direction|DeliveryAction)\s*[=:\"]+\s*(?<email_direction>[a-zA-Z]+)" nodrop
| where email_direction matches "(?i)inbound"
| parse regex field=sender_address "@(?<sender_domain>[a-zA-Z0-9.\-]+)$" nodrop
| toLowerCase sender_domain
| where sender_domain in ("protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
    "cock.li", "disroot.org", "riseup.net", "mailfence.com",
    "guerrillamail.com", "temp-mail.org", "mailinator.com",
    "10minutemail.com", "throwam.com", "yopmail.com",
    "gmail.com", "yahoo.com", "hotmail.com", "outlook.com",
    "live.com", "icloud.com", "aol.com")
| parse regex "(?:AttachmentCount|attachment_count|has_attachment)\s*[=:\"]+\s*(?<attach_raw>[0-9a-zA-Z]+)" nodrop
| eval has_attachment = if (attach_raw matches "[1-9][0-9]*" or attach_raw matches "(?i)true", 1, 0)
| eval is_privacy_provider = if (sender_domain in (
    "protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
    "cock.li", "disroot.org", "riseup.net", "mailfence.com",
    "guerrillamail.com", "temp-mail.org", "mailinator.com", "yopmail.com"), 1, 0)
| count as email_count, count_distinct(recipient) as targeted_users,
    sum(has_attachment) as attachment_emails,
    min(_messagetime) as first_contact_ms, max(_messagetime) as last_contact_ms,
    max(is_privacy_provider) as is_privacy_provider
    by sender_address, sender_domain
| eval campaign_duration_hours = round((last_contact_ms - first_contact_ms) / 3600000, 1)
| eval rs_targets = if (targeted_users >= 10, 40, if (targeted_users >= 5, 25, if (targeted_users >= 2, 10, 0)))
| eval rs_provider = if (is_privacy_provider == 1, 25, if (targeted_users >= 3, 15, 0))
| eval rs_attach = if (attachment_emails >= 3, 20, if (attachment_emails >= 1, 10, 0))
| eval rs_burst = if (email_count >= 5 and campaign_duration_hours <= 2, 15, 0)
| eval risk_score = rs_targets + rs_provider + rs_attach + rs_burst
| where risk_score >= 25
| eval first_contact = formatDate(toLong(first_contact_ms), "yyyy-MM-dd HH:mm:ss")
| eval last_contact = formatDate(toLong(last_contact_ms), "yyyy-MM-dd HH:mm:ss")
| fields sender_address, sender_domain, is_privacy_provider, email_count, targeted_users,
    attachment_emails, campaign_duration_hours, risk_score, first_contact, last_contact
| sort by risk_score desc

Sumo Logic detection query identifying inbound multi-recipient email campaigns from privacy-focused or free consumer email providers consistent with T1585 Establish Accounts precursor activity. Uses regex-based field extraction with nodrop to handle multiple log source formats (Exchange, O365, Proofpoint, Postfix). Applies the same weighted risk scoring as the reference KQL/SPL: targeting breadth, provider anonymity, attachment presence, and burst pattern. Requires email logs flowing to a _sourceCategory matching email*, mail_gateway*, or o365*. Field names in the parse regex patterns (SenderAddress, RecipientAddress, AttachmentCount) reflect common O365 and Exchange DSM output — adjust the parse patterns to match your specific log format. count_distinct() requires Sumo Logic 2023.1+ or Enterprise tier; on older deployments substitute with a two-pass join using a separate count_distinct subquery.

medium severity medium confidence

Data Sources

Microsoft Office 365 Management Activity via Sumo Logic O365 App Microsoft Exchange message tracking logs via Sumo Logic installed collector Proofpoint on Demand via Sumo Logic Proofpoint App Postfix/Sendmail syslog via Sumo Logic syslog collector

Required Tables

_sourceCategory=email* _sourceCategory=mail_gateway* _sourceCategory=o365*

False Positives

B2B partners or freelancers who exclusively use personal Gmail or ProtonMail accounts for business correspondence and regularly email multiple stakeholders within the same organisation
Subscription confirmation or double-opt-in workflows where one external service address delivers messages to multiple internal test accounts during QA — particularly if your team uses shared recipient aliases that expand to individual mailboxes
Penetration test or red team email campaigns using privacy providers to simulate spearphishing — validate with the security team calendar before adjusting thresholds

Google Chronicle / SecOps

yaral

rule t1585_establish_accounts_email_campaign {
  meta:
    author = "Detection Engineering"
    description = "Detects inbound multi-recipient email campaigns from privacy-focused or free email providers as T1585 Establish Accounts precursor activity"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585, T1585.001, T1585.002, T1585.003"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1585/"

  events:
    $email.metadata.event_type = "EMAIL_TRANSACTION"
    $email.network.direction = "INBOUND"
    (
      re.regex($email.network.email.from,
        `@(protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|10minutemail\.com|throwam\.com|yopmail\.com)$`)
      or
      re.regex($email.network.email.from,
        `@(gmail\.com|yahoo\.com|hotmail\.com|outlook\.com|live\.com|icloud\.com|aol\.com)$`)
    )
    $sender = $email.network.email.from
    $recipient = $email.network.email.to

  match:
    $sender over 24h

  outcome:
    $email_count = count_distinct($email.metadata.id)
    $targeted_users = count_distinct($recipient)
    $has_attachment = max(
      if($email.network.email.subject != "" and
         strings.count($email.network.email.full_headers, "Content-Disposition: attachment") > 0, 1, 0)
    )
    $is_privacy_provider = max(
      if(re.regex($sender,
        `@(protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|yopmail\.com)$`), 1, 0)
    )
    $risk_score = (
      if($targeted_users >= 10, 40, if($targeted_users >= 5, 25, if($targeted_users >= 2, 10, 0)))
      + if($is_privacy_provider == 1, 25, if($targeted_users >= 3, 15, 0))
      + if($has_attachment == 1, 10, 0)
      + if($email_count >= 5, 15, 0)
    )

  condition:
    #email >= 3 and
    $targeted_users >= 2 and
    $risk_score >= 25
}

Chronicle YARA-L 2.0 rule detecting inbound multi-recipient email campaigns from privacy-focused or free consumer email providers over a 24-hour match window, consistent with T1585 Establish Accounts resource development activity. Groups events by sender address ($sender over 24h) and applies count_distinct to measure unique recipient breadth. The outcome block computes a weighted risk score mirroring the KQL/SPL logic — privacy provider bonus (25pts), recipient breadth tiers (10-40pts), attachment presence (10pts), and volume burst (15pts) — with a threshold of 25 to fire. Requires Chronicle UDM email ingestion via a supported email security parser (Google Workspace, Microsoft 365, Proofpoint, Mimecast). The attachment detection heuristic using full_headers is a best-effort approximation — tune based on your parser's actual header normalisation. If network.email.full_headers is not populated, remove the $has_attachment outcome and its risk contribution.

medium severity medium confidence

Data Sources

Google Workspace Gmail via Chronicle Google Workspace parser Microsoft Office 365 via Chronicle O365 UDM parser Proofpoint Email Protection via Chronicle Proofpoint parser Mimecast Email Security via Chronicle Mimecast parser

Required Tables

UDM EMAIL_TRANSACTION events

False Positives

Internal employee communications relayed through personal Gmail accounts when corporate email is unavailable — e.g. during an outage where employees BCC multiple colleagues from personal accounts
Third-party marketing automation platforms that send on behalf of a client using a Gmail relay address, contacting multiple recipients in your organisation as part of a legitimate campaign you opted into
Anonymous tip or whistleblower submissions from ProtonMail or Tutanota accounts sent to multiple contact addresses within the organisation — consider adding a HR/legal mailbox exclusion to the recipient filter

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale — requires email security logs ingested via Falcon for Email
// or a third-party email gateway integration (Proofpoint, Mimecast, O365)
// Field names assume O365/Exchange normalized schema; adjust for your integration

#repo = "email" OR sourcetype = "email" OR #event_simpleName = "EmailDeliveryEvent"
| direction = "Inbound" OR MessageDirection = "Inbound" OR direction = "inbound"
| regex("@(?P<sender_domain>[a-zA-Z0-9.\\-]+)$", field=SenderAddress, strict=false)
| sender_domain := lower(sender_domain)
| is_privacy_provider := if(
    sender_domain in ("protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
                      "cock.li", "disroot.org", "riseup.net", "mailfence.com",
                      "guerrillamail.com", "temp-mail.org", "mailinator.com",
                      "10minutemail.com", "throwam.com", "yopmail.com"),
    "true", "false"
  )
| is_free_provider := if(
    sender_domain in ("gmail.com", "yahoo.com", "hotmail.com", "outlook.com",
                      "live.com", "icloud.com", "aol.com"),
    "true", "false"
  )
| is_privacy_provider = "true" OR is_free_provider = "true"
| recipient_field := coalesce(RecipientAddress, recipient, ToAddress)
| attach_flag := if(coalesce(AttachmentCount, "0") != "0" AND coalesce(AttachmentCount, "0") != "", 1, 0)
| groupBy(
    [SenderAddress, sender_domain, is_privacy_provider],
    function=[
      count(as=email_count),
      count(recipient_field, distinct=true, as=targeted_users),
      sum(attach_flag, as=attachment_emails),
      min(@timestamp, as=first_contact_ms),
      max(@timestamp, as=last_contact_ms)
    ]
  )
| campaign_duration_hours := (last_contact_ms - first_contact_ms) / 3600000
| campaign_duration_hours := round(campaign_duration_hours, 1)
| rs_targets := case {
    targeted_users >= 10 | 40;
    targeted_users >= 5  | 25;
    targeted_users >= 2  | 10;
    *                    | 0
  }
| rs_provider := case {
    is_privacy_provider = "true"          | 25;
    targeted_users >= 3                   | 15;
    *                                     | 0
  }
| rs_attach := case {
    attachment_emails >= 3 | 20;
    attachment_emails >= 1 | 10;
    *                      | 0
  }
| rs_burst := case {
    email_count >= 5 AND campaign_duration_hours <= 2 | 15;
    *                                                 | 0
  }
| risk_score := rs_targets + rs_provider + rs_attach + rs_burst
| risk_score >= 25
| first_contact := formatTime("%Y-%m-%d %H:%M:%S", field=first_contact_ms, timezone="UTC")
| last_contact := formatTime("%Y-%m-%d %H:%M:%S", field=last_contact_ms, timezone="UTC")
| select([SenderAddress, sender_domain, is_privacy_provider, email_count, targeted_users,
          attachment_emails, campaign_duration_hours, risk_score, first_contact, last_contact])
| sort(field=risk_score, order=desc)

CrowdStrike LogScale (Humio) query detecting inbound multi-recipient email campaigns from privacy-focused or free email providers. Applies the full weighted risk scoring model (targeting breadth, provider anonymity, attachment presence, burst pattern) with a threshold of 25 to surface high-confidence signals consistent with T1585 account establishment precursor activity. Requires email security logs to be ingested into a LogScale repository — supported via Falcon for Email, Proofpoint LogScale integration, Mimecast SIEM integration, or Microsoft 365 via an Azure Event Hub connector. Field names (SenderAddress, RecipientAddress, AttachmentCount, MessageDirection) reflect O365 Management API schema; use coalesce() blocks to add alternative field names for other sources. The time window defaults to the LogScale repository retention period — add a @timestamp filter (e.g. @timestamp > now() - 14d) at the top to match the 14-day KQL lookback. The regex field extraction uses strict=false to avoid dropping events where SenderAddress is missing or malformed.

medium severity medium confidence

Data Sources

CrowdStrike Falcon for Email Microsoft Office 365 via Azure Event Hub to LogScale Proofpoint Email Protection via LogScale integration Mimecast Email Security via LogScale SIEM connector

Required Tables

email repository or any LogScale repo ingesting email gateway events

False Positives

Sales or business development teams who receive high-volume contact campaigns from prospects using Gmail addresses — particularly SDR outreach sequences that contact multiple sales team members in rapid succession
Automated CI/CD or DevOps notification systems that relay build alerts or deployment notices from a Gmail-based service account to multiple engineering team members in a burst pattern
External audit or compliance firms conducting due diligence who contact multiple internal contacts from a ProtonMail address for privacy reasons — a pattern that mirrors the threat actor behaviour but is benign

Sigma rule & cross-platform mapping

The detection logic for Establish Accounts (T1585) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1585 Sigma rules on detection.fyi

Platform-specific guides for T1585

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate Persona-Based Inbound Email Campaign from Privacy Provider
Expected signal: EmailEvents table in Microsoft Defender for Office 365 should show matching records; Message Trace output confirms telemetry is flowing for privacy-provider senders
Test 2Test Network Detection for Social Media Account Registration Activity
Expected signal: Sysmon Event ID 22 (DNS Query) for registration domains; DeviceNetworkEvents ConnectionSuccess/ConnectionAttempted events for HTTPS connections to signup paths
Test 3Simulate Cloud Account Creation for Persona Infrastructure (Azure CLI)
Expected signal: AuditLogs in Azure AD / Microsoft Sentinel: Operation=Add application or Invite external user, Category=ApplicationManagement or UserManagement. CloudAppEvents table should show account creation activity.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1585 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Establish Accounts

What is T1585 Establish Accounts?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1585

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Resource Development

Popular Detections

What is T1585 Establish Accounts?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1585

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Resource Development

Popular Detections

Get new detections in your inbox