Detect Email Accounts in Splunk
Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.002 Email Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/002/
SPL Detection Query
index=o365 sourcetype="ms:o365:management" Workload=Exchange
| spath
| eval SenderAddress=lower(coalesce('SenderAddress', 'From', ""))
| eval SenderDomain=if(match(SenderAddress, "@"), replace(SenderAddress, ".*@", ""), null())
| eval RecipientAddress=lower(coalesce('RecipientAddress', 'DestAddress', 'To', ""))
| eval Subject=coalesce(Subject, "")
| eval IsDisposable=if(match(SenderDomain,
"(protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc)"),
1, 0)
| eval IsFree=if(match(SenderDomain,
"(gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com)"),
1, 0)
| eval IsRoleImpersonation=if((IsDisposable=1 OR IsFree=1) AND match(SenderAddress,
"^(it[-_.]|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|sec[-_]?team|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)@"),
1, 0)
| eval IsHighValueTarget=if(match(RecipientAddress,
"(ceo|cfo|cto|coo|president|vp|vice.?president|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin)"),
1, 0)
| eval AuthFail=if(match(lower(AuthenticationDetails), "(fail|softfail)") AND NOT match(lower(AuthenticationDetails), "pass"), 1, 0)
| eval RiskScore=(IsDisposable * 2) + (IsRoleImpersonation * 3) + (IsHighValueTarget * 2) + (AuthFail * 2) + IsFree
| where RiskScore >= 3 OR IsRoleImpersonation=1 OR (IsDisposable=1 AND IsHighValueTarget=1)
| table _time, SenderAddress, SenderDomain, RecipientAddress, Subject, Operation, ClientIP,
IsDisposable, IsFree, IsRoleImpersonation, IsHighValueTarget, AuthFail, RiskScore
| sort - RiskScore - _timeDetects inbound email activity from adversary-created accounts using the Splunk Add-on for Microsoft Office 365 (sourcetype ms:o365:management). Evaluates sender domain against disposable and free email provider lists, identifies role-based impersonation patterns (IT support, security, admin, executive) from non-corporate senders, and flags targeting of high-value internal recipients. A composite risk score surfaces the most suspicious combinations. Organizations using Proofpoint should adapt the query to sourcetype=proofpoint:pps:mail; for Mimecast, use sourcetype=mimecast:email.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate vendors or contractors using ProtonMail or free email providers for privacy
- Automated service notifications using role-sounding sender names at free providers
- Job applicants using disposable email services to contact HR
- Authorized red team engagements testing email security controls
- Small business partners without corporate email infrastructure using Gmail or Yahoo
Other platforms for T1585.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Inbound Email from Disposable Provider via SMTP Relay Test
Expected signal: EmailEvents in Microsoft 365 Defender Advanced Hunting: [email protected], SenderFromDomain=mailinator.com, EmailDirection=Inbound, DeliveryAction varies by policy. ms:o365:management: Workload=Exchange with sender and recipient details. Email gateway logs: inbound SMTP connection from test machine IP, envelope-from mailinator.com, SPF fail (mailinator.com SPF record will not include test machine IP).
- Test 2Test Email Authentication Failure Detection with Python SMTP
Expected signal: EmailEvents: [email protected], SenderFromDomain=protonmail.com, EmailDirection=Inbound. SPF will fail as originating IP is not in ProtonMail's SPF record. ms:o365:management: Exchange inbound email operation with full sender/recipient details. Email gateway logs: SMTP session, envelope data, and authentication results.
- Test 3Validate Display Name Impersonation Detection via Email Header Injection Test
Expected signal: EmailEvents: SenderDisplayName='CEO John Smith', [email protected], SenderFromDomain=gmail.com, EmailDirection=Inbound. SPF fails as sending host is not authorized for gmail.com domain. Security Event ID 4688 or Sysmon Event ID 1 (powershell.exe launching Send-MailMessage cmdlet) on the test machine.
- Test 4Mass Targeting Simulation — Verify Multi-Recipient Detection Threshold
Expected signal: EmailEvents: Three separate records with [email protected], SenderFromDomain=mailinator.com, three different RecipientEmailAddress values, all within a short window. SPF fail on all three (mailinator.com SPF does not cover test server IP).
References (9)
- https://attack.mitre.org/techniques/T1585/002/
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
- https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/
- https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about
- https://splunkbase.splunk.com/app/4055
- https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgium-ongoing-phishing-operations/
- https://www.proofpoint.com/us/blog/threat-insight/ta427-ta453-iran-north-korea-spearphishing
Unlock Pro Content
Get the full detection package for T1585.002 including response playbook, investigation guide, and atomic red team tests.