T1585.002

Email Accounts

Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees.

Microsoft Sentinel / Defender

kusto

let DisposableAndAnonEmailDomains = dynamic([
    "protonmail.com", "protonmail.ch", "pm.me",
    "tutanota.com", "tutanota.de", "tutanota.org", "tuta.io", "tuta.com",
    "guerrillamail.com", "guerrillamail.net", "guerrillamail.org",
    "guerrillamail.biz", "guerrillamail.de", "guerrillamail.info",
    "grr.la", "sharklasers.com", "guerrillamailblock.com",
    "spam4.me", "trashmail.com", "trashmail.io", "trashmail.net",
    "mailnull.com", "spamgourmet.com", "yopmail.com",
    "10minutemail.com", "tempmail.com", "throwam.com",
    "mailnesia.com", "maildrop.cc", "dispostable.com",
    "discard.email", "fakeinbox.com", "mailinator.com",
    "getairmail.com", "getnada.com", "tempr.email",
    "cock.li", "airmail.cc", "danwin1210.de"
]);
let FreeEmailProviders = dynamic([
    "gmail.com", "yahoo.com", "yahoo.co.uk", "yahoo.fr",
    "outlook.com", "hotmail.com", "hotmail.co.uk", "live.com",
    "aol.com", "icloud.com", "me.com", "msn.com"
]);
let RoleImpersonationPrefixes = dynamic([
    "it-", "it_", "it.", "helpdesk", "help-desk", "help_desk",
    "support", "noreply", "no-reply", "no_reply",
    "security", "securityteam", "security-team", "security_team",
    "admin", "administrator", "sysadmin", "sys-admin",
    "billing", "payroll", "finance", "accounting", "treasury",
    "legal", "hr", "humanresources", "human-resources",
    "ceo", "cfo", "cto", "coo", "president",
    "director", "management", "executive"
]);
let HighValueRecipientKeywords = dynamic([
    "ceo", "cfo", "cto", "coo", "president", "vp", "vice-president",
    "director", "finance", "payroll", "accounting", "treasury",
    "legal", "security", "helpdesk", "it", "sysadmin", "admin"
]);
EmailEvents
| where Timestamp > ago(24h)
| where EmailDirection == "Inbound"
| extend SenderDomain = tolower(SenderFromDomain)
| extend SenderAddr = tolower(SenderFromAddress)
| extend RecipientAddr = tolower(RecipientEmailAddress)
| extend SenderLocalPart = tostring(split(SenderAddr, "@")[0])
| extend IsDisposableDomain = SenderDomain has_any (DisposableAndAnonEmailDomains)
| extend IsFreeDomain = SenderDomain has_any (FreeEmailProviders)
| extend IsRoleImpersonation = (IsDisposableDomain or IsFreeDomain)
    and SenderLocalPart has_any (RoleImpersonationPrefixes)
| extend IsHighValueTarget = RecipientAddr has_any (HighValueRecipientKeywords)
| extend AuthFailed = AuthenticationDetails has_any ("fail", "softfail", "none")
    and not (AuthenticationDetails has "pass")
| extend AuthPartialFail = AuthenticationDetails has_any ("fail", "softfail")
| extend RiskScore = toint(IsDisposableDomain) * 2
    + toint(IsRoleImpersonation) * 3
    + toint(IsHighValueTarget) * 2
    + toint(AuthFailed) * 2
    + toint(AuthPartialFail)
| where RiskScore >= 3
    or IsRoleImpersonation == true
    or (IsDisposableDomain and IsHighValueTarget)
| project
    Timestamp, SenderFromAddress, SenderDomain, SenderLocalPart,
    RecipientEmailAddress, Subject, DeliveryAction, LatestDeliveryLocation,
    ThreatTypes, DetectionMethods, AuthenticationDetails,
    IsDisposableDomain, IsFreeDomain, IsRoleImpersonation,
    IsHighValueTarget, AuthFailed, RiskScore,
    SenderIPv4, SenderIPv6, NetworkMessageId, InternetMessageId
| sort by RiskScore desc, Timestamp desc

medium severity medium confidence

Data Sources

Email: Email Message Network Traffic: Network Traffic Content Microsoft 365 Defender — EmailEvents Microsoft Defender for Office 365

Required Tables

EmailEvents

False Positives

Legitimate vendors or contractors who communicate via ProtonMail or other privacy-focused email providers for confidentiality reasons
Automated service notifications from platforms that use role-based sender names at free email providers (e.g., [email protected] for small SaaS services)
Job applicants submitting resumes to HR addresses using disposable email services to protect their personal address
Security researchers or third-party pen testers using anonymous email providers during authorized assessments — verify against active engagement records
International partners or small businesses that rely on free email providers due to lack of corporate email infrastructure

Splunk

spl

index=o365 sourcetype="ms:o365:management" Workload=Exchange
| spath
| eval SenderAddress=lower(coalesce('SenderAddress', 'From', ""))
| eval SenderDomain=if(match(SenderAddress, "@"), replace(SenderAddress, ".*@", ""), null())
| eval RecipientAddress=lower(coalesce('RecipientAddress', 'DestAddress', 'To', ""))
| eval Subject=coalesce(Subject, "")
| eval IsDisposable=if(match(SenderDomain,
    "(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc)"),
    1, 0)
| eval IsFree=if(match(SenderDomain,
    "(gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com)"),
    1, 0)
| eval IsRoleImpersonation=if((IsDisposable=1 OR IsFree=1) AND match(SenderAddress,
    "^(it[-_.]|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|sec[-_]?team|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@"),
    1, 0)
| eval IsHighValueTarget=if(match(RecipientAddress,
    "(ceo|cfo|cto|coo|president|vp|vice.?president|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin)"),
    1, 0)
| eval AuthFail=if(match(lower(AuthenticationDetails), "(fail|softfail)") AND NOT match(lower(AuthenticationDetails), "pass"), 1, 0)
| eval RiskScore=(IsDisposable * 2) + (IsRoleImpersonation * 3) + (IsHighValueTarget * 2) + (AuthFail * 2) + IsFree
| where RiskScore >= 3 OR IsRoleImpersonation=1 OR (IsDisposable=1 AND IsHighValueTarget=1)
| table _time, SenderAddress, SenderDomain, RecipientAddress, Subject, Operation, ClientIP,
        IsDisposable, IsFree, IsRoleImpersonation, IsHighValueTarget, AuthFail, RiskScore
| sort - RiskScore - _time

medium severity medium confidence

Data Sources

Email: Email Message Office 365 Exchange Audit Logs Microsoft 365 Management Activity API

Required Sourcetypes

ms:o365:management

False Positives

Legitimate vendors or contractors using ProtonMail or free email providers for privacy
Automated service notifications using role-sounding sender names at free providers
Job applicants using disposable email services to contact HR
Authorized red team engagements testing email security controls
Small business partners without corporate email infrastructure using Gmail or Yahoo

Elastic Security (EQL)

eql

sequence by source.ip
  [network where event.dataset == "email" and email.direction == "inbound"
    and (
      email.from.address : ("*@protonmail.com", "*@protonmail.ch", "*@pm.me", "*@tutanota.com", "*@tutanota.de", "*@tutanota.org", "*@tuta.io", "*@tuta.com", "*@guerrillamail.com", "*@guerrillamail.net", "*@guerrillamail.org", "*@guerrillamail.biz", "*@guerrillamail.de", "*@guerrillamail.info", "*@grr.la", "*@sharklasers.com", "*@guerrillamailblock.com", "*@spam4.me", "*@trashmail.com", "*@trashmail.io", "*@trashmail.net", "*@mailnull.com", "*@spamgourmet.com", "*@yopmail.com", "*@10minutemail.com", "*@tempmail.com", "*@throwam.com", "*@mailnesia.com", "*@maildrop.cc", "*@dispostable.com", "*@discard.email", "*@fakeinbox.com", "*@mailinator.com", "*@getairmail.com", "*@getnada.com", "*@tempr.email", "*@cock.li", "*@airmail.cc", "*@danwin1210.de", "*@gmail.com", "*@yahoo.com", "*@yahoo.co.uk", "*@yahoo.fr", "*@outlook.com", "*@hotmail.com", "*@hotmail.co.uk", "*@live.com", "*@aol.com", "*@icloud.com", "*@me.com", "*@msn.com")
      or email.from.address : ("it-*", "it_*", "it.*", "helpdesk*", "help-desk*", "support*", "noreply*", "no-reply*", "no_reply*", "security*", "admin*", "administrator*", "sysadmin*", "billing*", "payroll*", "finance*", "accounting*", "treasury*", "legal*", "hr*", "humanresources*", "ceo*", "cfo*", "cto*", "coo*", "president*", "director*", "management*", "executive*")
    )
  ] with runs=1

high severity medium confidence

Data Sources

Email gateway logs (Elastic Email integration) Microsoft 365 Defender email events via Elastic Agent Postfix/Sendmail logs with ECS normalization Proofpoint, Mimecast, or similar SEG with Elastic integration

Required Tables

logs-email.* logs-o365.audit-* logs-microsoft_365_defender.email_events-*

False Positives

Legitimate vendors or contractors who use personal Gmail or Outlook accounts for business communication with finance or HR departments
IT support staff at partner organizations using helpdesk@ addresses on free mail providers for inter-company collaboration
Executive assistants reaching out on behalf of leadership using shared role-based mailboxes hosted on free providers in smaller organizations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SenderIP,
  username AS SenderAddress,
  "destinationaddress" AS RecipientAddress,
  "URL" AS Subject,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
  CASE
    WHEN LOWER(username) MATCHES '.*@(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de)'
      THEN 1 ELSE 0
  END AS IsDisposable,
  CASE
    WHEN LOWER(username) MATCHES '.*@(gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com)'
      THEN 1 ELSE 0
  END AS IsFree,
  CASE
    WHEN LOWER(username) MATCHES '^(it[-_.]|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@.*'
      THEN 1 ELSE 0
  END AS IsRoleImpersonation,
  CASE
    WHEN LOWER("destinationaddress") MATCHES '.*(ceo|cfo|cto|coo|president|vp|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin).*'
      THEN 1 ELSE 0
  END AS IsHighValueTarget
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Exchange', 'Postfix Mail Server', 'Proofpoint Protection Server', 'Mimecast', 'Symantec Messaging Gateway')
  AND CATEGORYNAME(category) LIKE '%Mail%'
  AND devicetime > NOW() - 86400000
  AND (
    (
      CASE WHEN LOWER(username) MATCHES '.*@(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de)' THEN 1 ELSE 0 END
      + CASE WHEN LOWER(username) MATCHES '^(it[-_.]|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@.*' THEN 3 ELSE 0 END
      + CASE WHEN LOWER("destinationaddress") MATCHES '.*(ceo|cfo|cto|coo|president|vp|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin).*' THEN 2 ELSE 0 END
    ) >= 3
    OR LOWER(username) MATCHES '^(it[-_.]|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|gmail\.com|yahoo\.com|outlook\.com|hotmail\.com)'
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Microsoft Exchange log source in QRadar Proofpoint Protection Server DSM Mimecast DSM Postfix Mail Server DSM Symantec Messaging Gateway DSM

Required Tables

events

False Positives

Security awareness training platforms (KnowBe4, Proofpoint TAP) that simulate phishing using free email domains in controlled phishing simulations
Automated notification services from SaaS vendors that use shared free-tier email infrastructure for transactional alerts to finance or IT teams
Recruiters and staffing agencies contacting HR using personal Gmail accounts, triggering high-value-target hits on humanresources@ addresses

Sumo Logic CSE

sql

_sourceCategory=email* OR _sourceCategory=exchange* OR _sourceCategory=o365*
| parse "From: *" as raw_sender nodrop
| parse "To: *" as raw_recipient nodrop
| parse "Subject: *" as subject nodrop
| eval sender = toLowerCase(raw_sender)
| eval recipient = toLowerCase(raw_recipient)
| eval sender_domain = replace(sender, ".*@", "")
| eval sender_local = replace(sender, "@.*", "")
| eval is_disposable = if(matches(sender_domain, "protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de"), 1, 0)
| eval is_free = if(matches(sender_domain, "gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com"), 1, 0)
| eval is_role_impersonation = if((is_disposable == 1 OR is_free == 1) AND matches(sender_local, "^(it[-_.].*|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)$"), 1, 0)
| eval is_high_value_target = if(matches(recipient, "(ceo|cfo|cto|coo|president|vp|vice.?president|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin)"), 1, 0)
| eval risk_score = (is_disposable * 2) + (is_role_impersonation * 3) + (is_high_value_target * 2) + is_free
| where risk_score >= 3 OR is_role_impersonation == 1 OR (is_disposable == 1 AND is_high_value_target == 1)
| fields _messagetime, sender, sender_domain, sender_local, recipient, subject, is_disposable, is_free, is_role_impersonation, is_high_value_target, risk_score
| sort by risk_score desc, _messagetime desc

high severity medium confidence

Data Sources

Email gateway logs (Proofpoint, Mimecast, Barracuda) Microsoft Exchange message tracking logs Office 365 audit logs via Sumo Logic O365 collector Postfix/Sendmail syslog forwarded to Sumo Logic

Required Tables

_sourceCategory=email* _sourceCategory=exchange* _sourceCategory=o365*

False Positives

Cold sales outreach from vendors using personal Gmail accounts targeting sales@ or info@ that also match high-value keyword patterns like director or finance
Automated invoice delivery systems from small accounting firms that use shared protonmail accounts for client communication
Security researchers or red team operators during authorized engagements using disposable domains to contact IT security teams

Google Chronicle / SecOps

yaral

rule t1585_002_adversary_email_account_inbound {
  meta:
    author = "Detection Engineering"
    description = "Detects inbound email from disposable/anonymous/free webmail providers with role-impersonating sender addresses or high-value recipient targeting (T1585.002)"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585.002"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "EMAIL_TRANSACTION"
    $e.network.direction = "INBOUND"

    // Capture sender and recipient for variable binding
    $sender_email = $e.principal.user.email_addresses
    $recipient_email = $e.target.user.email_addresses

    // Match disposable or free email provider domains
    (
      re.regex($sender_email,
        `(?i)@(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de|gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com)$`)
      or
      // Role-impersonating local part from any external free/disposable domain
      re.regex($sender_email,
        `(?i)^(it[-_.]|helpdesk|help[-_]desk|support|noreply|no[-_]reply|security|securityteam|security[-_]team|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|hr|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@`)
    )

    // AND targets a high-value recipient
    re.regex($recipient_email,
      `(?i)(ceo|cfo|cto|coo|president|vp|vice.?president|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Workspace Gmail logs ingested into Chronicle Microsoft 365 email logs via Chronicle M365 connector Proofpoint or Mimecast email gateway logs normalized to UDM Chronicle email UDM events from any supported email log source

Required Tables

EMAIL_TRANSACTION UDM events

False Positives

Legitimate external partners using ProtonMail for privacy-sensitive communications with legal or compliance teams
IT consultants using personal Gmail accounts for project communications with internal sysadmin or helpdesk teams
Automated email alerts from external SaaS platforms using shared free-tier email infrastructure addressed to finance or treasury contacts

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (Humio) — T1585.002 Adversary Email Account Detection
// Requires: Falcon for IT Hygiene email data or O365/Exchange connector
#event_simpleName=EmailMessageIngested OR #event_simpleName=O365EmailEvent OR event.category=email

| lower(SenderAddress) as sender_addr
| lower(RecipientAddress) as recipient_addr
| regex("@(?P<sender_domain>[^@]+)$", field=sender_addr, strict=false)
| regex("^(?P<sender_local>[^@]+)@", field=sender_addr, strict=false)

// Classify disposable domain
| IsDisposable := if(
    match(field=sender_domain, regex="(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de)"),
    then=1, else=0)

// Classify free email provider
| IsFree := if(
    match(field=sender_domain, regex="(gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com)"),
    then=1, else=0)

// Classify role impersonation
| IsRoleImpersonation := if(
    (IsDisposable=1 OR IsFree=1) AND
    match(field=sender_local, regex="^(it[-_.].*|helpdesk|help[-_]desk|support|noreply|no[-_]reply|security|securityteam|security[-_]team|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|hr|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)$"),
    then=1, else=0)

// Classify high-value target
| IsHighValueTarget := if(
    match(field=recipient_addr, regex="(ceo|cfo|cto|coo|president|vp|vice.?president|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin)"),
    then=1, else=0)

// Compute risk score
| RiskScore := (IsDisposable * 2) + (IsRoleImpersonation * 3) + (IsHighValueTarget * 2) + IsFree

// Filter to actionable alerts
| where RiskScore >= 3 OR IsRoleImpersonation=1 OR (IsDisposable=1 AND IsHighValueTarget=1)

| table([timestamp, sender_addr, sender_domain, sender_local, recipient_addr, Subject, IsDisposable, IsFree, IsRoleImpersonation, IsHighValueTarget, RiskScore, ClientIP])
| sort(RiskScore, order=desc)

high severity medium confidence

Data Sources

Falcon for IT Hygiene with Office 365 connector CrowdStrike Falcon O365 email event telemetry Microsoft Exchange on-premises logs via Falcon LogScale collector Proofpoint or Mimecast forwarded to LogScale via syslog connector

Required Tables

EmailMessageIngested O365EmailEvent

False Positives

Third-party benefit or payroll providers (ADP, Gusto) sending automated notifications from shared free-domain infrastructure to HR or payroll recipient addresses
Open source software maintainers contacting IT or security teams about vulnerability disclosures using personal ProtonMail accounts for privacy
Executive assistants or chiefs of staff using personal Gmail accounts when traveling or in situations where corporate email is unavailable, contacting finance or admin internally

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1585.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Email Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections