T1585 CrowdStrike LogScale · LogScale

Detect Establish Accounts in CrowdStrike LogScale

This detection identifies observable indicators of adversary account establishment activity within the target environment — specifically inbound communications from newly created or privacy-focused email accounts targeting multiple employees, suspicious authentication attempts from externally established personas, and endpoint connections to account creation infrastructure. Since T1585 is a PRE-ATT&CK technique occurring outside the victim network, detections focus on the downstream effects: spearphishing precursor activity from zero-history email accounts, bulk contact campaigns from free/disposable email providers, and network telemetry showing corporate endpoints researching persona-associated platforms. Coverage spans all three sub-techniques: social media (T1585.001), email (T1585.002), and cloud account (T1585.003) establishment.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// CrowdStrike LogScale — requires email security logs ingested via Falcon for Email
// or a third-party email gateway integration (Proofpoint, Mimecast, O365)
// Field names assume O365/Exchange normalized schema; adjust for your integration

#repo = "email" OR sourcetype = "email" OR #event_simpleName = "EmailDeliveryEvent"
| direction = "Inbound" OR MessageDirection = "Inbound" OR direction = "inbound"
| regex("@(?P<sender_domain>[a-zA-Z0-9.\\-]+)$", field=SenderAddress, strict=false)
| sender_domain := lower(sender_domain)
| is_privacy_provider := if(
    sender_domain in ("protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
                      "cock.li", "disroot.org", "riseup.net", "mailfence.com",
                      "guerrillamail.com", "temp-mail.org", "mailinator.com",
                      "10minutemail.com", "throwam.com", "yopmail.com"),
    "true", "false"
  )
| is_free_provider := if(
    sender_domain in ("gmail.com", "yahoo.com", "hotmail.com", "outlook.com",
                      "live.com", "icloud.com", "aol.com"),
    "true", "false"
  )
| is_privacy_provider = "true" OR is_free_provider = "true"
| recipient_field := coalesce(RecipientAddress, recipient, ToAddress)
| attach_flag := if(coalesce(AttachmentCount, "0") != "0" AND coalesce(AttachmentCount, "0") != "", 1, 0)
| groupBy(
    [SenderAddress, sender_domain, is_privacy_provider],
    function=[
      count(as=email_count),
      count(recipient_field, distinct=true, as=targeted_users),
      sum(attach_flag, as=attachment_emails),
      min(@timestamp, as=first_contact_ms),
      max(@timestamp, as=last_contact_ms)
    ]
  )
| campaign_duration_hours := (last_contact_ms - first_contact_ms) / 3600000
| campaign_duration_hours := round(campaign_duration_hours, 1)
| rs_targets := case {
    targeted_users >= 10 | 40;
    targeted_users >= 5  | 25;
    targeted_users >= 2  | 10;
    *                    | 0
  }
| rs_provider := case {
    is_privacy_provider = "true"          | 25;
    targeted_users >= 3                   | 15;
    *                                     | 0
  }
| rs_attach := case {
    attachment_emails >= 3 | 20;
    attachment_emails >= 1 | 10;
    *                      | 0
  }
| rs_burst := case {
    email_count >= 5 AND campaign_duration_hours <= 2 | 15;
    *                                                 | 0
  }
| risk_score := rs_targets + rs_provider + rs_attach + rs_burst
| risk_score >= 25
| first_contact := formatTime("%Y-%m-%d %H:%M:%S", field=first_contact_ms, timezone="UTC")
| last_contact := formatTime("%Y-%m-%d %H:%M:%S", field=last_contact_ms, timezone="UTC")
| select([SenderAddress, sender_domain, is_privacy_provider, email_count, targeted_users,
          attachment_emails, campaign_duration_hours, risk_score, first_contact, last_contact])
| sort(field=risk_score, order=desc)
medium severity medium confidence

CrowdStrike LogScale (Humio) query detecting inbound multi-recipient email campaigns from privacy-focused or free email providers. Applies the full weighted risk scoring model (targeting breadth, provider anonymity, attachment presence, burst pattern) with a threshold of 25 to surface high-confidence signals consistent with T1585 account establishment precursor activity. Requires email security logs to be ingested into a LogScale repository — supported via Falcon for Email, Proofpoint LogScale integration, Mimecast SIEM integration, or Microsoft 365 via an Azure Event Hub connector. Field names (SenderAddress, RecipientAddress, AttachmentCount, MessageDirection) reflect O365 Management API schema; use coalesce() blocks to add alternative field names for other sources. The time window defaults to the LogScale repository retention period — add a @timestamp filter (e.g. @timestamp > now() - 14d) at the top to match the 14-day KQL lookback. The regex field extraction uses strict=false to avoid dropping events where SenderAddress is missing or malformed.

Data Sources

CrowdStrike Falcon for EmailMicrosoft Office 365 via Azure Event Hub to LogScaleProofpoint Email Protection via LogScale integrationMimecast Email Security via LogScale SIEM connector

Required Tables

email repository or any LogScale repo ingesting email gateway events

False Positives & Tuning

  • Sales or business development teams who receive high-volume contact campaigns from prospects using Gmail addresses — particularly SDR outreach sequences that contact multiple sales team members in rapid succession
  • Automated CI/CD or DevOps notification systems that relay build alerts or deployment notices from a Gmail-based service account to multiple engineering team members in a burst pattern
  • External audit or compliance firms conducting due diligence who contact multiple internal contacts from a ProtonMail address for privacy reasons — a pattern that mirrors the threat actor behaviour but is benign
Download portable Sigma rule (.yml)

Other platforms for T1585

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Persona-Based Inbound Email Campaign from Privacy Provider

    Expected signal: EmailEvents table in Microsoft Defender for Office 365 should show matching records; Message Trace output confirms telemetry is flowing for privacy-provider senders

  2. Test 2Test Network Detection for Social Media Account Registration Activity

    Expected signal: Sysmon Event ID 22 (DNS Query) for registration domains; DeviceNetworkEvents ConnectionSuccess/ConnectionAttempted events for HTTPS connections to signup paths

  3. Test 3Simulate Cloud Account Creation for Persona Infrastructure (Azure CLI)

    Expected signal: AuditLogs in Azure AD / Microsoft Sentinel: Operation=Add application or Invite external user, Category=ApplicationManagement or UserManagement. CloudAppEvents table should show account creation activity.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1585 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1585.001Social Media AccountsT1585.002Email AccountsT1585.003Cloud AccountsT1566PhishingT1598Phishing for InformationT1583Acquire InfrastructureT1586Compromise AccountsT1587.003Digital CertificatesT1588.004Digital CertificatesT1589Gather Victim Identity Information

Same Tactic: Resource Development

Popular Detections