Detect Email Accounts in Microsoft Sentinel
Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.002 Email Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/002/
KQL Detection Query
let DisposableAndAnonEmailDomains = dynamic([
"protonmail.com", "protonmail.ch", "pm.me",
"tutanota.com", "tutanota.de", "tutanota.org", "tuta.io", "tuta.com",
"guerrillamail.com", "guerrillamail.net", "guerrillamail.org",
"guerrillamail.biz", "guerrillamail.de", "guerrillamail.info",
"grr.la", "sharklasers.com", "guerrillamailblock.com",
"spam4.me", "trashmail.com", "trashmail.io", "trashmail.net",
"mailnull.com", "spamgourmet.com", "yopmail.com",
"10minutemail.com", "tempmail.com", "throwam.com",
"mailnesia.com", "maildrop.cc", "dispostable.com",
"discard.email", "fakeinbox.com", "mailinator.com",
"getairmail.com", "getnada.com", "tempr.email",
"cock.li", "airmail.cc", "danwin1210.de"
]);
let FreeEmailProviders = dynamic([
"gmail.com", "yahoo.com", "yahoo.co.uk", "yahoo.fr",
"outlook.com", "hotmail.com", "hotmail.co.uk", "live.com",
"aol.com", "icloud.com", "me.com", "msn.com"
]);
let RoleImpersonationPrefixes = dynamic([
"it-", "it_", "it.", "helpdesk", "help-desk", "help_desk",
"support", "noreply", "no-reply", "no_reply",
"security", "securityteam", "security-team", "security_team",
"admin", "administrator", "sysadmin", "sys-admin",
"billing", "payroll", "finance", "accounting", "treasury",
"legal", "hr", "humanresources", "human-resources",
"ceo", "cfo", "cto", "coo", "president",
"director", "management", "executive"
]);
let HighValueRecipientKeywords = dynamic([
"ceo", "cfo", "cto", "coo", "president", "vp", "vice-president",
"director", "finance", "payroll", "accounting", "treasury",
"legal", "security", "helpdesk", "it", "sysadmin", "admin"
]);
EmailEvents
| where Timestamp > ago(24h)
| where EmailDirection == "Inbound"
| extend SenderDomain = tolower(SenderFromDomain)
| extend SenderAddr = tolower(SenderFromAddress)
| extend RecipientAddr = tolower(RecipientEmailAddress)
| extend SenderLocalPart = tostring(split(SenderAddr, "@")[0])
| extend IsDisposableDomain = SenderDomain has_any (DisposableAndAnonEmailDomains)
| extend IsFreeDomain = SenderDomain has_any (FreeEmailProviders)
| extend IsRoleImpersonation = (IsDisposableDomain or IsFreeDomain)
and SenderLocalPart has_any (RoleImpersonationPrefixes)
| extend IsHighValueTarget = RecipientAddr has_any (HighValueRecipientKeywords)
| extend AuthFailed = AuthenticationDetails has_any ("fail", "softfail", "none")
and not (AuthenticationDetails has "pass")
| extend AuthPartialFail = AuthenticationDetails has_any ("fail", "softfail")
| extend RiskScore = toint(IsDisposableDomain) * 2
+ toint(IsRoleImpersonation) * 3
+ toint(IsHighValueTarget) * 2
+ toint(AuthFailed) * 2
+ toint(AuthPartialFail)
| where RiskScore >= 3
or IsRoleImpersonation == true
or (IsDisposableDomain and IsHighValueTarget)
| project
Timestamp, SenderFromAddress, SenderDomain, SenderLocalPart,
RecipientEmailAddress, Subject, DeliveryAction, LatestDeliveryLocation,
ThreatTypes, DetectionMethods, AuthenticationDetails,
IsDisposableDomain, IsFreeDomain, IsRoleImpersonation,
IsHighValueTarget, AuthFailed, RiskScore,
SenderIPv4, SenderIPv6, NetworkMessageId, InternetMessageId
| sort by RiskScore desc, Timestamp descDetects inbound email activity consistent with adversary-created email accounts being used for phishing or targeting operations. Uses the Microsoft 365 Defender EmailEvents table (available in Microsoft Sentinel via the M365 Defender connector) to identify: emails from known disposable and anonymous email providers, role-based impersonation patterns (IT support, security team, admin) via free or disposable providers, emails targeting high-value employees, and authentication failures (SPF/DKIM/DMARC). A composite risk score prioritizes alerts with multiple indicators. Covers Kimsuky, Star Blizzard, Magic Hound, and EXOTIC LILY TTPs.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate vendors or contractors who communicate via ProtonMail or other privacy-focused email providers for confidentiality reasons
- Automated service notifications from platforms that use role-based sender names at free email providers (e.g., [email protected] for small SaaS services)
- Job applicants submitting resumes to HR addresses using disposable email services to protect their personal address
- Security researchers or third-party pen testers using anonymous email providers during authorized assessments — verify against active engagement records
- International partners or small businesses that rely on free email providers due to lack of corporate email infrastructure
Other platforms for T1585.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Inbound Email from Disposable Provider via SMTP Relay Test
Expected signal: EmailEvents in Microsoft 365 Defender Advanced Hunting: [email protected], SenderFromDomain=mailinator.com, EmailDirection=Inbound, DeliveryAction varies by policy. ms:o365:management: Workload=Exchange with sender and recipient details. Email gateway logs: inbound SMTP connection from test machine IP, envelope-from mailinator.com, SPF fail (mailinator.com SPF record will not include test machine IP).
- Test 2Test Email Authentication Failure Detection with Python SMTP
Expected signal: EmailEvents: [email protected], SenderFromDomain=protonmail.com, EmailDirection=Inbound. SPF will fail as originating IP is not in ProtonMail's SPF record. ms:o365:management: Exchange inbound email operation with full sender/recipient details. Email gateway logs: SMTP session, envelope data, and authentication results.
- Test 3Validate Display Name Impersonation Detection via Email Header Injection Test
Expected signal: EmailEvents: SenderDisplayName='CEO John Smith', [email protected], SenderFromDomain=gmail.com, EmailDirection=Inbound. SPF fails as sending host is not authorized for gmail.com domain. Security Event ID 4688 or Sysmon Event ID 1 (powershell.exe launching Send-MailMessage cmdlet) on the test machine.
- Test 4Mass Targeting Simulation — Verify Multi-Recipient Detection Threshold
Expected signal: EmailEvents: Three separate records with [email protected], SenderFromDomain=mailinator.com, three different RecipientEmailAddress values, all within a short window. SPF fail on all three (mailinator.com SPF does not cover test server IP).
References (9)
- https://attack.mitre.org/techniques/T1585/002/
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
- https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/
- https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about
- https://splunkbase.splunk.com/app/4055
- https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgium-ongoing-phishing-operations/
- https://www.proofpoint.com/us/blog/threat-insight/ta427-ta453-iran-north-korea-spearphishing
Unlock Pro Content
Get the full detection package for T1585.002 including response playbook, investigation guide, and atomic red team tests.