T1585.002 Elastic Security · Elastic

Detect Email Accounts in Elastic Security

Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.002 Email Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip
  [network where event.dataset == "email" and email.direction == "inbound"
    and (
      email.from.address : ("*@protonmail.com", "*@protonmail.ch", "*@pm.me", "*@tutanota.com", "*@tutanota.de", "*@tutanota.org", "*@tuta.io", "*@tuta.com", "*@guerrillamail.com", "*@guerrillamail.net", "*@guerrillamail.org", "*@guerrillamail.biz", "*@guerrillamail.de", "*@guerrillamail.info", "*@grr.la", "*@sharklasers.com", "*@guerrillamailblock.com", "*@spam4.me", "*@trashmail.com", "*@trashmail.io", "*@trashmail.net", "*@mailnull.com", "*@spamgourmet.com", "*@yopmail.com", "*@10minutemail.com", "*@tempmail.com", "*@throwam.com", "*@mailnesia.com", "*@maildrop.cc", "*@dispostable.com", "*@discard.email", "*@fakeinbox.com", "*@mailinator.com", "*@getairmail.com", "*@getnada.com", "*@tempr.email", "*@cock.li", "*@airmail.cc", "*@danwin1210.de", "*@gmail.com", "*@yahoo.com", "*@yahoo.co.uk", "*@yahoo.fr", "*@outlook.com", "*@hotmail.com", "*@hotmail.co.uk", "*@live.com", "*@aol.com", "*@icloud.com", "*@me.com", "*@msn.com")
      or email.from.address : ("it-*", "it_*", "it.*", "helpdesk*", "help-desk*", "support*", "noreply*", "no-reply*", "no_reply*", "security*", "admin*", "administrator*", "sysadmin*", "billing*", "payroll*", "finance*", "accounting*", "treasury*", "legal*", "hr*", "humanresources*", "ceo*", "cfo*", "cto*", "coo*", "president*", "director*", "management*", "executive*")
    )
  ] with runs=1
high severity medium confidence

Detects inbound email from disposable/anonymous/free email providers with role-impersonating sender prefixes or targeting of high-value recipients. Maps to T1585.002 — adversaries creating email accounts for spearphishing and social engineering operations. Scores risk based on domain category, sender local-part impersonation, recipient sensitivity, and authentication failures.

Data Sources

Email gateway logs (Elastic Email integration)Microsoft 365 Defender email events via Elastic AgentPostfix/Sendmail logs with ECS normalizationProofpoint, Mimecast, or similar SEG with Elastic integration

Required Tables

logs-email.*logs-o365.audit-*logs-microsoft_365_defender.email_events-*

False Positives & Tuning

  • Legitimate vendors or contractors who use personal Gmail or Outlook accounts for business communication with finance or HR departments
  • IT support staff at partner organizations using helpdesk@ addresses on free mail providers for inter-company collaboration
  • Executive assistants reaching out on behalf of leadership using shared role-based mailboxes hosted on free providers in smaller organizations
Download portable Sigma rule (.yml)

Other platforms for T1585.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Inbound Email from Disposable Provider via SMTP Relay Test

    Expected signal: EmailEvents in Microsoft 365 Defender Advanced Hunting: [email protected], SenderFromDomain=mailinator.com, EmailDirection=Inbound, DeliveryAction varies by policy. ms:o365:management: Workload=Exchange with sender and recipient details. Email gateway logs: inbound SMTP connection from test machine IP, envelope-from mailinator.com, SPF fail (mailinator.com SPF record will not include test machine IP).

  2. Test 2Test Email Authentication Failure Detection with Python SMTP

    Expected signal: EmailEvents: [email protected], SenderFromDomain=protonmail.com, EmailDirection=Inbound. SPF will fail as originating IP is not in ProtonMail's SPF record. ms:o365:management: Exchange inbound email operation with full sender/recipient details. Email gateway logs: SMTP session, envelope data, and authentication results.

  3. Test 3Validate Display Name Impersonation Detection via Email Header Injection Test

    Expected signal: EmailEvents: SenderDisplayName='CEO John Smith', [email protected], SenderFromDomain=gmail.com, EmailDirection=Inbound. SPF fails as sending host is not authorized for gmail.com domain. Security Event ID 4688 or Sysmon Event ID 1 (powershell.exe launching Send-MailMessage cmdlet) on the test machine.

  4. Test 4Mass Targeting Simulation — Verify Multi-Recipient Detection Threshold

    Expected signal: EmailEvents: Three separate records with [email protected], SenderFromDomain=mailinator.com, three different RecipientEmailAddress values, all within a short window. SPF fail on all three (mailinator.com SPF does not cover test server IP).

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1585.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.001Social Media AccountsT1585.003Cloud Accounts

Related Techniques

T1585.001Social Media AccountsT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1566.003Spearphishing via ServiceT1598.003Spearphishing LinkT1583.001DomainsT1534Internal SpearphishingT1114.002Remote Email CollectionT1036MasqueradingT1078.004Cloud Accounts

Same Tactic: Resource Development

Popular Detections