T1585 Google Chronicle · YARA-L

Detect Establish Accounts in Google Chronicle

This detection identifies observable indicators of adversary account establishment activity within the target environment — specifically inbound communications from newly created or privacy-focused email accounts targeting multiple employees, suspicious authentication attempts from externally established personas, and endpoint connections to account creation infrastructure. Since T1585 is a PRE-ATT&CK technique occurring outside the victim network, detections focus on the downstream effects: spearphishing precursor activity from zero-history email accounts, bulk contact campaigns from free/disposable email providers, and network telemetry showing corporate endpoints researching persona-associated platforms. Coverage spans all three sub-techniques: social media (T1585.001), email (T1585.002), and cloud account (T1585.003) establishment.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1585_establish_accounts_email_campaign {
  meta:
    author = "Detection Engineering"
    description = "Detects inbound multi-recipient email campaigns from privacy-focused or free email providers as T1585 Establish Accounts precursor activity"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1585, T1585.001, T1585.002, T1585.003"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1585/"

  events:
    $email.metadata.event_type = "EMAIL_TRANSACTION"
    $email.network.direction = "INBOUND"
    (
      re.regex($email.network.email.from,
        `@(protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|10minutemail\.com|throwam\.com|yopmail\.com)$`)
      or
      re.regex($email.network.email.from,
        `@(gmail\.com|yahoo\.com|hotmail\.com|outlook\.com|live\.com|icloud\.com|aol\.com)$`)
    )
    $sender = $email.network.email.from
    $recipient = $email.network.email.to

  match:
    $sender over 24h

  outcome:
    $email_count = count_distinct($email.metadata.id)
    $targeted_users = count_distinct($recipient)
    $has_attachment = max(
      if($email.network.email.subject != "" and
         strings.count($email.network.email.full_headers, "Content-Disposition: attachment") > 0, 1, 0)
    )
    $is_privacy_provider = max(
      if(re.regex($sender,
        `@(protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|yopmail\.com)$`), 1, 0)
    )
    $risk_score = (
      if($targeted_users >= 10, 40, if($targeted_users >= 5, 25, if($targeted_users >= 2, 10, 0)))
      + if($is_privacy_provider == 1, 25, if($targeted_users >= 3, 15, 0))
      + if($has_attachment == 1, 10, 0)
      + if($email_count >= 5, 15, 0)
    )

  condition:
    #email >= 3 and
    $targeted_users >= 2 and
    $risk_score >= 25
}
medium severity medium confidence

Chronicle YARA-L 2.0 rule detecting inbound multi-recipient email campaigns from privacy-focused or free consumer email providers over a 24-hour match window, consistent with T1585 Establish Accounts resource development activity. Groups events by sender address ($sender over 24h) and applies count_distinct to measure unique recipient breadth. The outcome block computes a weighted risk score mirroring the KQL/SPL logic — privacy provider bonus (25pts), recipient breadth tiers (10-40pts), attachment presence (10pts), and volume burst (15pts) — with a threshold of 25 to fire. Requires Chronicle UDM email ingestion via a supported email security parser (Google Workspace, Microsoft 365, Proofpoint, Mimecast). The attachment detection heuristic using full_headers is a best-effort approximation — tune based on your parser's actual header normalisation. If network.email.full_headers is not populated, remove the $has_attachment outcome and its risk contribution.

Data Sources

Google Workspace Gmail via Chronicle Google Workspace parserMicrosoft Office 365 via Chronicle O365 UDM parserProofpoint Email Protection via Chronicle Proofpoint parserMimecast Email Security via Chronicle Mimecast parser

Required Tables

UDM EMAIL_TRANSACTION events

False Positives & Tuning

  • Internal employee communications relayed through personal Gmail accounts when corporate email is unavailable — e.g. during an outage where employees BCC multiple colleagues from personal accounts
  • Third-party marketing automation platforms that send on behalf of a client using a Gmail relay address, contacting multiple recipients in your organisation as part of a legitimate campaign you opted into
  • Anonymous tip or whistleblower submissions from ProtonMail or Tutanota accounts sent to multiple contact addresses within the organisation — consider adding a HR/legal mailbox exclusion to the recipient filter
Download portable Sigma rule (.yml)

Other platforms for T1585

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Persona-Based Inbound Email Campaign from Privacy Provider

    Expected signal: EmailEvents table in Microsoft Defender for Office 365 should show matching records; Message Trace output confirms telemetry is flowing for privacy-provider senders

  2. Test 2Test Network Detection for Social Media Account Registration Activity

    Expected signal: Sysmon Event ID 22 (DNS Query) for registration domains; DeviceNetworkEvents ConnectionSuccess/ConnectionAttempted events for HTTPS connections to signup paths

  3. Test 3Simulate Cloud Account Creation for Persona Infrastructure (Azure CLI)

    Expected signal: AuditLogs in Azure AD / Microsoft Sentinel: Operation=Add application or Invite external user, Category=ApplicationManagement or UserManagement. CloudAppEvents table should show account creation activity.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1585 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1585.001Social Media AccountsT1585.002Email AccountsT1585.003Cloud AccountsT1566PhishingT1598Phishing for InformationT1583Acquire InfrastructureT1586Compromise AccountsT1587.003Digital CertificatesT1588.004Digital CertificatesT1589Gather Victim Identity Information

Same Tactic: Resource Development

Popular Detections