T1585.002 Google Chronicle · YARA-L

Detect Email Accounts in Google Chronicle

Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.002 Email Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1585_002_adversary_email_account_inbound {
  meta:
    author = "Detection Engineering"
    description = "Detects inbound email from disposable/anonymous/free webmail providers with role-impersonating sender addresses or high-value recipient targeting (T1585.002)"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585.002"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "EMAIL_TRANSACTION"
    $e.network.direction = "INBOUND"

    // Capture sender and recipient for variable binding
    $sender_email = $e.principal.user.email_addresses
    $recipient_email = $e.target.user.email_addresses

    // Match disposable or free email provider domains
    (
      re.regex($sender_email,
        `(?i)@(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de|gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com)$`)
      or
      // Role-impersonating local part from any external free/disposable domain
      re.regex($sender_email,
        `(?i)^(it[-_.]|helpdesk|help[-_]desk|support|noreply|no[-_]reply|security|securityteam|security[-_]team|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|hr|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@`)
    )

    // AND targets a high-value recipient
    re.regex($recipient_email,
      `(?i)(ceo|cfo|cto|coo|president|vp|vice.?president|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin)`)

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting adversary-created email accounts (T1585.002) sending inbound email from disposable or free webmail providers with role-impersonating sender local-parts targeting high-value recipients. Uses UDM EMAIL_TRANSACTION events with principal/target user email address fields and regex matching against known provider and impersonation patterns.

Data Sources

Google Workspace Gmail logs ingested into ChronicleMicrosoft 365 email logs via Chronicle M365 connectorProofpoint or Mimecast email gateway logs normalized to UDMChronicle email UDM events from any supported email log source

Required Tables

EMAIL_TRANSACTION UDM events

False Positives & Tuning

  • Legitimate external partners using ProtonMail for privacy-sensitive communications with legal or compliance teams
  • IT consultants using personal Gmail accounts for project communications with internal sysadmin or helpdesk teams
  • Automated email alerts from external SaaS platforms using shared free-tier email infrastructure addressed to finance or treasury contacts
Download portable Sigma rule (.yml)

Other platforms for T1585.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Inbound Email from Disposable Provider via SMTP Relay Test

    Expected signal: EmailEvents in Microsoft 365 Defender Advanced Hunting: [email protected], SenderFromDomain=mailinator.com, EmailDirection=Inbound, DeliveryAction varies by policy. ms:o365:management: Workload=Exchange with sender and recipient details. Email gateway logs: inbound SMTP connection from test machine IP, envelope-from mailinator.com, SPF fail (mailinator.com SPF record will not include test machine IP).

  2. Test 2Test Email Authentication Failure Detection with Python SMTP

    Expected signal: EmailEvents: [email protected], SenderFromDomain=protonmail.com, EmailDirection=Inbound. SPF will fail as originating IP is not in ProtonMail's SPF record. ms:o365:management: Exchange inbound email operation with full sender/recipient details. Email gateway logs: SMTP session, envelope data, and authentication results.

  3. Test 3Validate Display Name Impersonation Detection via Email Header Injection Test

    Expected signal: EmailEvents: SenderDisplayName='CEO John Smith', [email protected], SenderFromDomain=gmail.com, EmailDirection=Inbound. SPF fails as sending host is not authorized for gmail.com domain. Security Event ID 4688 or Sysmon Event ID 1 (powershell.exe launching Send-MailMessage cmdlet) on the test machine.

  4. Test 4Mass Targeting Simulation — Verify Multi-Recipient Detection Threshold

    Expected signal: EmailEvents: Three separate records with [email protected], SenderFromDomain=mailinator.com, three different RecipientEmailAddress values, all within a short window. SPF fail on all three (mailinator.com SPF does not cover test server IP).

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1585.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.001Social Media AccountsT1585.003Cloud Accounts

Related Techniques

T1585.001Social Media AccountsT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1566.003Spearphishing via ServiceT1598.003Spearphishing LinkT1583.001DomainsT1534Internal SpearphishingT1114.002Remote Email CollectionT1036MasqueradingT1078.004Cloud Accounts

Same Tactic: Resource Development

Popular Detections