T1585.002 Sumo Logic CSE · Sumo

Detect Email Accounts in Sumo Logic CSE

Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.002 Email Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=email* OR _sourceCategory=exchange* OR _sourceCategory=o365*
| parse "From: *" as raw_sender nodrop
| parse "To: *" as raw_recipient nodrop
| parse "Subject: *" as subject nodrop
| eval sender = toLowerCase(raw_sender)
| eval recipient = toLowerCase(raw_recipient)
| eval sender_domain = replace(sender, ".*@", "")
| eval sender_local = replace(sender, "@.*", "")
| eval is_disposable = if(matches(sender_domain, "protonmail\.(com|ch)|pm\.me|tutanota\.(com|de|org)|tuta\.(io|com)|guerrillamail\.(com|net|org|biz|de|info)|grr\.la|sharklasers\.com|guerrillamailblock\.com|spam4\.me|trashmail\.(com|io|net)|mailnull\.com|spamgourmet\.com|yopmail\.com|10minutemail\.com|tempmail\.com|throwam\.com|mailnesia\.com|maildrop\.cc|dispostable\.com|discard\.email|fakeinbox\.com|mailinator\.com|getairmail\.com|getnada\.com|tempr\.email|cock\.li|airmail\.cc|danwin1210\.de"), 1, 0)
| eval is_free = if(matches(sender_domain, "gmail\.com|yahoo\.(com|co\.uk|fr)|outlook\.com|hotmail\.(com|co\.uk)|live\.com|aol\.com|icloud\.com|me\.com|msn\.com"), 1, 0)
| eval is_role_impersonation = if((is_disposable == 1 OR is_free == 1) AND matches(sender_local, "^(it[-_.].*|helpdesk|help[-_]desk|support|no[-_]?reply|security[-_]?team?|admin|administrator|sysadmin|sys[-_]admin|billing|payroll|finance|accounting|treasury|legal|humanresources|human[-_]resources|ceo|cfo|cto|coo|president|director|management|executive)$"), 1, 0)
| eval is_high_value_target = if(matches(recipient, "(ceo|cfo|cto|coo|president|vp|vice.?president|director|finance|payroll|accounting|treasury|legal|security|helpdesk|sysadmin|admin)"), 1, 0)
| eval risk_score = (is_disposable * 2) + (is_role_impersonation * 3) + (is_high_value_target * 2) + is_free
| where risk_score >= 3 OR is_role_impersonation == 1 OR (is_disposable == 1 AND is_high_value_target == 1)
| fields _messagetime, sender, sender_domain, sender_local, recipient, subject, is_disposable, is_free, is_role_impersonation, is_high_value_target, risk_score
| sort by risk_score desc, _messagetime desc
high severity medium confidence

Sumo Logic query detecting adversary-created email accounts (T1585.002) contacting the organization inbound. Parses email gateway or Exchange logs to extract sender/recipient metadata, classifies disposable and free-provider domains, identifies role-impersonating local-parts, and scores risk across four dimensions. Fires on composite score >= 3 or definitive role impersonation.

Data Sources

Email gateway logs (Proofpoint, Mimecast, Barracuda)Microsoft Exchange message tracking logsOffice 365 audit logs via Sumo Logic O365 collectorPostfix/Sendmail syslog forwarded to Sumo Logic

Required Tables

_sourceCategory=email*_sourceCategory=exchange*_sourceCategory=o365*

False Positives & Tuning

  • Cold sales outreach from vendors using personal Gmail accounts targeting sales@ or info@ that also match high-value keyword patterns like director or finance
  • Automated invoice delivery systems from small accounting firms that use shared protonmail accounts for client communication
  • Security researchers or red team operators during authorized engagements using disposable domains to contact IT security teams
Download portable Sigma rule (.yml)

Other platforms for T1585.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Inbound Email from Disposable Provider via SMTP Relay Test

    Expected signal: EmailEvents in Microsoft 365 Defender Advanced Hunting: [email protected], SenderFromDomain=mailinator.com, EmailDirection=Inbound, DeliveryAction varies by policy. ms:o365:management: Workload=Exchange with sender and recipient details. Email gateway logs: inbound SMTP connection from test machine IP, envelope-from mailinator.com, SPF fail (mailinator.com SPF record will not include test machine IP).

  2. Test 2Test Email Authentication Failure Detection with Python SMTP

    Expected signal: EmailEvents: [email protected], SenderFromDomain=protonmail.com, EmailDirection=Inbound. SPF will fail as originating IP is not in ProtonMail's SPF record. ms:o365:management: Exchange inbound email operation with full sender/recipient details. Email gateway logs: SMTP session, envelope data, and authentication results.

  3. Test 3Validate Display Name Impersonation Detection via Email Header Injection Test

    Expected signal: EmailEvents: SenderDisplayName='CEO John Smith', [email protected], SenderFromDomain=gmail.com, EmailDirection=Inbound. SPF fails as sending host is not authorized for gmail.com domain. Security Event ID 4688 or Sysmon Event ID 1 (powershell.exe launching Send-MailMessage cmdlet) on the test machine.

  4. Test 4Mass Targeting Simulation — Verify Multi-Recipient Detection Threshold

    Expected signal: EmailEvents: Three separate records with [email protected], SenderFromDomain=mailinator.com, three different RecipientEmailAddress values, all within a short window. SPF fail on all three (mailinator.com SPF does not cover test server IP).

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1585.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.001Social Media AccountsT1585.003Cloud Accounts

Related Techniques

T1585.001Social Media AccountsT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1566.003Spearphishing via ServiceT1598.003Spearphishing LinkT1583.001DomainsT1534Internal SpearphishingT1114.002Remote Email CollectionT1036MasqueradingT1078.004Cloud Accounts

Same Tactic: Resource Development

Popular Detections