Detect Email Accounts in CrowdStrike LogScale
Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.002 Email Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/002/
LogScale Detection Query
// CrowdStrike LogScale (Humio) — T1585.002 Adversary Email Account Detection
// Requires: Falcon for IT Hygiene email data or O365/Exchange connector
#event_simpleName=EmailMessageIngested OR #event_simpleName=O365EmailEvent OR event.category=email
| lower(SenderAddress) as sender_addr
| lower(RecipientAddress) as recipient_addr
| regex("@(?P<sender_domain>[^@]+)$", field=sender_addr, strict=false)
| regex("^(?P<sender_local>[^@]+)@", field=sender_addr, strict=false)
// Classify disposable domain
| IsDisposable := if(
match(field=sender_domain, regex="(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de)"),
then=1, else=0)
// Classify free email provider
| IsFree := if(
match(field=sender_domain, regex="(gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com)"),
then=1, else=0)
// Classify role impersonation
| IsRoleImpersonation := if(
(IsDisposable=1 OR IsFree=1) AND
match(field=sender_local, regex="^(it[-_.].*|helpdesk|help[-_]desk|support|noreply|no[-_]reply|security|securityteam|security[-_]team|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|hr|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)$"),
then=1, else=0)
// Classify high-value target
| IsHighValueTarget := if(
match(field=recipient_addr, regex="(ceo|cfo|cto|coo|president|vp|vice.?president|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin)"),
then=1, else=0)
// Compute risk score
| RiskScore := (IsDisposable * 2) + (IsRoleImpersonation * 3) + (IsHighValueTarget * 2) + IsFree
// Filter to actionable alerts
| where RiskScore >= 3 OR IsRoleImpersonation=1 OR (IsDisposable=1 AND IsHighValueTarget=1)
| table([timestamp, sender_addr, sender_domain, sender_local, recipient_addr, Subject, IsDisposable, IsFree, IsRoleImpersonation, IsHighValueTarget, RiskScore, ClientIP])
| sort(RiskScore, order=desc)CrowdStrike LogScale (Humio) query detecting adversary-created email accounts (T1585.002) contacting the organization. Ingests email event data from Falcon O365 or Exchange connectors, extracts sender domain and local-part via regex, classifies disposable/free domains and role-impersonating prefixes, applies composite risk scoring, and surfaces high-risk inbound messages targeting sensitive recipients. Mirrors the KQL and SPL detection logic.
Data Sources
Required Tables
False Positives & Tuning
- Third-party benefit or payroll providers (ADP, Gusto) sending automated notifications from shared free-domain infrastructure to HR or payroll recipient addresses
- Open source software maintainers contacting IT or security teams about vulnerability disclosures using personal ProtonMail accounts for privacy
- Executive assistants or chiefs of staff using personal Gmail accounts when traveling or in situations where corporate email is unavailable, contacting finance or admin internally
Other platforms for T1585.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Inbound Email from Disposable Provider via SMTP Relay Test
Expected signal: EmailEvents in Microsoft 365 Defender Advanced Hunting: [email protected], SenderFromDomain=mailinator.com, EmailDirection=Inbound, DeliveryAction varies by policy. ms:o365:management: Workload=Exchange with sender and recipient details. Email gateway logs: inbound SMTP connection from test machine IP, envelope-from mailinator.com, SPF fail (mailinator.com SPF record will not include test machine IP).
- Test 2Test Email Authentication Failure Detection with Python SMTP
Expected signal: EmailEvents: [email protected], SenderFromDomain=protonmail.com, EmailDirection=Inbound. SPF will fail as originating IP is not in ProtonMail's SPF record. ms:o365:management: Exchange inbound email operation with full sender/recipient details. Email gateway logs: SMTP session, envelope data, and authentication results.
- Test 3Validate Display Name Impersonation Detection via Email Header Injection Test
Expected signal: EmailEvents: SenderDisplayName='CEO John Smith', [email protected], SenderFromDomain=gmail.com, EmailDirection=Inbound. SPF fails as sending host is not authorized for gmail.com domain. Security Event ID 4688 or Sysmon Event ID 1 (powershell.exe launching Send-MailMessage cmdlet) on the test machine.
- Test 4Mass Targeting Simulation — Verify Multi-Recipient Detection Threshold
Expected signal: EmailEvents: Three separate records with [email protected], SenderFromDomain=mailinator.com, three different RecipientEmailAddress values, all within a short window. SPF fail on all three (mailinator.com SPF does not cover test server IP).
References (9)
- https://attack.mitre.org/techniques/T1585/002/
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
- https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/
- https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about
- https://splunkbase.splunk.com/app/4055
- https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgium-ongoing-phishing-operations/
- https://www.proofpoint.com/us/blog/threat-insight/ta427-ta453-iran-north-korea-spearphishing
Unlock Pro Content
Get the full detection package for T1585.002 including response playbook, investigation guide, and atomic red team tests.