T1585.002 IBM QRadar · QRadar

Detect Email Accounts in IBM QRadar

Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.002 Email Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SenderIP,
  username AS SenderAddress,
  "destinationaddress" AS RecipientAddress,
  "URL" AS Subject,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
  CASE
    WHEN LOWER(username) MATCHES '.*@(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de)'
      THEN 1 ELSE 0
  END AS IsDisposable,
  CASE
    WHEN LOWER(username) MATCHES '.*@(gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com)'
      THEN 1 ELSE 0
  END AS IsFree,
  CASE
    WHEN LOWER(username) MATCHES '^(it[-_.]|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@.*'
      THEN 1 ELSE 0
  END AS IsRoleImpersonation,
  CASE
    WHEN LOWER("destinationaddress") MATCHES '.*(ceo|cfo|cto|coo|president|vp|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin).*'
      THEN 1 ELSE 0
  END AS IsHighValueTarget
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Exchange', 'Postfix Mail Server', 'Proofpoint Protection Server', 'Mimecast', 'Symantec Messaging Gateway')
  AND CATEGORYNAME(category) LIKE '%Mail%'
  AND devicetime > NOW() - 86400000
  AND (
    (
      CASE WHEN LOWER(username) MATCHES '.*@(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de)' THEN 1 ELSE 0 END
      + CASE WHEN LOWER(username) MATCHES '^(it[-_.]|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@.*' THEN 3 ELSE 0 END
      + CASE WHEN LOWER("destinationaddress") MATCHES '.*(ceo|cfo|cto|coo|president|vp|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin).*' THEN 2 ELSE 0 END
    ) >= 3
    OR LOWER(username) MATCHES '^(it[-_.]|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|gmail\.com|yahoo\.com|outlook\.com|hotmail\.com)'
  )
ORDER BY devicetime DESC
high severity medium confidence

QRadar AQL query detecting inbound email from disposable, anonymous, or free webmail providers with role-impersonating sender addresses or high-value recipient targeting. Uses composite risk scoring mirroring the KQL/SPL logic. Pulls from email gateway log sources normalized into QRadar events table.

Data Sources

Microsoft Exchange log source in QRadarProofpoint Protection Server DSMMimecast DSMPostfix Mail Server DSMSymantec Messaging Gateway DSM

Required Tables

events

False Positives & Tuning

  • Security awareness training platforms (KnowBe4, Proofpoint TAP) that simulate phishing using free email domains in controlled phishing simulations
  • Automated notification services from SaaS vendors that use shared free-tier email infrastructure for transactional alerts to finance or IT teams
  • Recruiters and staffing agencies contacting HR using personal Gmail accounts, triggering high-value-target hits on humanresources@ addresses
Download portable Sigma rule (.yml)

Other platforms for T1585.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Inbound Email from Disposable Provider via SMTP Relay Test

    Expected signal: EmailEvents in Microsoft 365 Defender Advanced Hunting: [email protected], SenderFromDomain=mailinator.com, EmailDirection=Inbound, DeliveryAction varies by policy. ms:o365:management: Workload=Exchange with sender and recipient details. Email gateway logs: inbound SMTP connection from test machine IP, envelope-from mailinator.com, SPF fail (mailinator.com SPF record will not include test machine IP).

  2. Test 2Test Email Authentication Failure Detection with Python SMTP

    Expected signal: EmailEvents: [email protected], SenderFromDomain=protonmail.com, EmailDirection=Inbound. SPF will fail as originating IP is not in ProtonMail's SPF record. ms:o365:management: Exchange inbound email operation with full sender/recipient details. Email gateway logs: SMTP session, envelope data, and authentication results.

  3. Test 3Validate Display Name Impersonation Detection via Email Header Injection Test

    Expected signal: EmailEvents: SenderDisplayName='CEO John Smith', [email protected], SenderFromDomain=gmail.com, EmailDirection=Inbound. SPF fails as sending host is not authorized for gmail.com domain. Security Event ID 4688 or Sysmon Event ID 1 (powershell.exe launching Send-MailMessage cmdlet) on the test machine.

  4. Test 4Mass Targeting Simulation — Verify Multi-Recipient Detection Threshold

    Expected signal: EmailEvents: Three separate records with [email protected], SenderFromDomain=mailinator.com, three different RecipientEmailAddress values, all within a short window. SPF fail on all three (mailinator.com SPF does not cover test server IP).

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1585.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.001Social Media AccountsT1585.003Cloud Accounts

Related Techniques

T1585.001Social Media AccountsT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1566.003Spearphishing via ServiceT1598.003Spearphishing LinkT1583.001DomainsT1534Internal SpearphishingT1114.002Remote Email CollectionT1036MasqueradingT1078.004Cloud Accounts

Same Tactic: Resource Development

Popular Detections