T1585 Elastic Security · Elastic

Detect Establish Accounts in Elastic Security

This detection identifies observable indicators of adversary account establishment activity within the target environment — specifically inbound communications from newly created or privacy-focused email accounts targeting multiple employees, suspicious authentication attempts from externally established personas, and endpoint connections to account creation infrastructure. Since T1585 is a PRE-ATT&CK technique occurring outside the victim network, detections focus on the downstream effects: spearphishing precursor activity from zero-history email accounts, bulk contact campaigns from free/disposable email providers, and network telemetry showing corporate endpoints researching persona-associated platforms. Coverage spans all three sub-techniques: social media (T1585.001), email (T1585.002), and cloud account (T1585.003) establishment.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where event.category == "email" and
  email.direction == "inbound" and
  (
    email.from.address like "*@protonmail.com" or email.from.address like "*@proton.me" or
    email.from.address like "*@tutanota.com" or email.from.address like "*@tutamail.com" or
    email.from.address like "*@cock.li" or email.from.address like "*@disroot.org" or
    email.from.address like "*@riseup.net" or email.from.address like "*@mailfence.com" or
    email.from.address like "*@guerrillamail.com" or email.from.address like "*@temp-mail.org" or
    email.from.address like "*@mailinator.com" or email.from.address like "*@10minutemail.com" or
    email.from.address like "*@throwam.com" or email.from.address like "*@yopmail.com" or
    email.from.address like "*@gmail.com" or email.from.address like "*@yahoo.com" or
    email.from.address like "*@hotmail.com" or email.from.address like "*@outlook.com" or
    email.from.address like "*@live.com" or email.from.address like "*@icloud.com" or
    email.from.address like "*@aol.com"
  )

/* Deploy as an Elastic threshold rule:
   Group by: email.from.address
   Threshold: count >= 3 AND count_distinct(email.to.address) >= 2
   Time window: 24h
   For full risk-scored aggregation use ES|QL:
   FROM logs-email*
   | WHERE event.category == "email" AND email.direction == "inbound"
   | EVAL sender_domain = TO_LOWER(SPLIT(email.from.address, "@")[1])
   | EVAL is_privacy = CASE(sender_domain IN ("protonmail.com","proton.me","tutanota.com","tutamail.com","cock.li","disroot.org","riseup.net","mailfence.com","guerrillamail.com","temp-mail.org","mailinator.com","yopmail.com"), 1, 0)
   | EVAL is_free = CASE(sender_domain IN ("gmail.com","yahoo.com","hotmail.com","outlook.com","live.com","icloud.com","aol.com"), 1, 0)
   | WHERE is_privacy == 1 OR is_free == 1
   | STATS email_count = COUNT(*), targeted_users = COUNT_DISTINCT(email.to.address), attachment_emails = COUNT_DISTINCT(CASE(array_length(email.attachments.name) > 0, email.metadata.message_id, null)), first_contact = MIN(@timestamp), last_contact = MAX(@timestamp), is_privacy_provider = MAX(is_privacy) BY email.from.address, sender_domain
   | EVAL campaign_duration_hours = DATE_DIFF("hours", first_contact, last_contact)
   | EVAL risk_score = CASE(targeted_users >= 10, 40, targeted_users >= 5, 25, targeted_users >= 2, 10, 0) + CASE(is_privacy_provider == 1, 25, targeted_users >= 3, 15, 0) + CASE(attachment_emails >= 3, 20, attachment_emails >= 1, 10, 0) + CASE(email_count >= 5 AND campaign_duration_hours <= 2, 15, 0)
   | WHERE risk_score >= 25
   | SORT risk_score DESC
*/
medium severity medium confidence

Detects inbound multi-recipient email campaigns from privacy-focused (ProtonMail, Tutanota, etc.) or free consumer email providers (Gmail, Yahoo, etc.) as indicators of T1585 Establish Accounts precursor activity. The EQL query is designed as a threshold rule base filter — configure with group-by email.from.address, threshold count >= 3, and count_distinct(email.to.address) >= 2 over 24h to enforce the multi-recipient signal. Full risk scoring with the same weighted algorithm as the KQL/SPL queries is provided as an ES|QL comment block for deployments using Elastic 8.11+ with ES|QL support. Requires email logs ingested via Elastic Filebeat (O365 module, Proofpoint module) or a compatible email security integration that populates ECS email.* fields.

Data Sources

Microsoft Defender for Office 365 via Elastic O365 moduleProofpoint Email Protection via Filebeat Proofpoint moduleMimecast via Elastic integrationGoogle Workspace Gmail via Elastic Google Workspace module

Required Tables

logs-email*logs-o365*logs-google_workspace*

False Positives & Tuning

  • Legitimate SMB vendors or contractors who use personal Gmail or Outlook accounts as their primary business email contacting multiple employees about a project or proposal
  • Job applicants submitting CVs from personal email accounts to HR, where internal forwarding to multiple reviewers inflates the recipient count per external sender
  • Security awareness phishing simulation platforms that route test campaigns through privacy provider relay addresses — coordinate with the red team to whitelist campaign sender infrastructure before tuning thresholds
Download portable Sigma rule (.yml)

Other platforms for T1585

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Persona-Based Inbound Email Campaign from Privacy Provider

    Expected signal: EmailEvents table in Microsoft Defender for Office 365 should show matching records; Message Trace output confirms telemetry is flowing for privacy-provider senders

  2. Test 2Test Network Detection for Social Media Account Registration Activity

    Expected signal: Sysmon Event ID 22 (DNS Query) for registration domains; DeviceNetworkEvents ConnectionSuccess/ConnectionAttempted events for HTTPS connections to signup paths

  3. Test 3Simulate Cloud Account Creation for Persona Infrastructure (Azure CLI)

    Expected signal: AuditLogs in Azure AD / Microsoft Sentinel: Operation=Add application or Invite external user, Category=ApplicationManagement or UserManagement. CloudAppEvents table should show account creation activity.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1585 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1585.001Social Media AccountsT1585.002Email AccountsT1585.003Cloud AccountsT1566PhishingT1598Phishing for InformationT1583Acquire InfrastructureT1586Compromise AccountsT1587.003Digital CertificatesT1588.004Digital CertificatesT1589Gather Victim Identity Information

Same Tactic: Resource Development

Popular Detections