Detect Establish Accounts in Splunk
This detection identifies observable indicators of adversary account establishment activity within the target environment — specifically inbound communications from newly created or privacy-focused email accounts targeting multiple employees, suspicious authentication attempts from externally established personas, and endpoint connections to account creation infrastructure. Since T1585 is a PRE-ATT&CK technique occurring outside the victim network, detections focus on the downstream effects: spearphishing precursor activity from zero-history email accounts, bulk contact campaigns from free/disposable email providers, and network telemetry showing corporate endpoints researching persona-associated platforms. Coverage spans all three sub-techniques: social media (T1585.001), email (T1585.002), and cloud account (T1585.003) establishment.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/
SPL Detection Query
index=email OR index=mail_logs sourcetype IN ("ms:o365:management", "exchange:message_tracking", "postfix:syslog", "proofpoint:mail")
| search direction="inbound" OR MessageDirection="Inbound" OR message_direction="inbound"
| eval sender_address=coalesce(sender, SenderAddress, from_address, "unknown")
| eval sender_domain=lower(replace(sender_address, ".*@", ""))
| eval is_privacy_provider=if(match(sender_domain, "protonmail\.com|proton\.me|tutanota\.com|tutamail\.com|cock\.li|disroot\.org|riseup\.net|mailfence\.com|guerrillamail\.com|temp-mail\.org|mailinator\.com|yopmail\.com"), 1, 0)
| eval is_free_provider=if(match(sender_domain, "gmail\.com|yahoo\.com|hotmail\.com|outlook\.com|live\.com|icloud\.com|aol\.com"), 1, 0)
| where is_privacy_provider=1 OR is_free_provider=1
| eval recipient=coalesce(recipient, RecipientAddress, to_address, "unknown")
| eval has_attachment=if(match(coalesce(attachment_names, AttachmentNames, ""), ".+"), 1, 0)
| eval has_link=if(match(coalesce(url_count, UrlCount, "0"), "[1-9]"), 1, 0)
| eval delivery_status=coalesce(DeliveryAction, delivery_action, MessageStatus, "unknown")
| stats
count AS email_count,
dc(recipient) AS targeted_users,
values(recipient) AS recipient_list,
sum(has_attachment) AS attachment_emails,
sum(has_link) AS link_emails,
values(subject) AS sample_subjects,
min(_time) AS first_contact,
max(_time) AS last_contact,
max(is_privacy_provider) AS is_privacy_provider
by sender_address, sender_domain
| eval campaign_duration_hours=round((last_contact - first_contact) / 3600, 1)
| eval risk_score=0
| eval risk_score=risk_score + case(targeted_users >= 10, 40, targeted_users >= 5, 25, targeted_users >= 2, 10, true(), 0)
| eval risk_score=risk_score + case(is_privacy_provider=1, 25, targeted_users >= 3, 15, true(), 0)
| eval risk_score=risk_score + case(attachment_emails >= 3, 20, attachment_emails >= 1, 10, true(), 0)
| eval risk_score=risk_score + case(link_emails >= 5 AND attachment_emails=0, 15, link_emails >= 2, 8, true(), 0)
| eval risk_score=risk_score + case(email_count >= 5 AND campaign_duration_hours <= 2, 15, true(), 0)
| where risk_score >= 25
| eval first_contact_time=strftime(first_contact, "%Y-%m-%d %H:%M:%S")
| eval last_contact_time=strftime(last_contact, "%Y-%m-%d %H:%M:%S")
| table first_contact_time, sender_address, sender_domain, is_privacy_provider, email_count, targeted_users, recipient_list, attachment_emails, link_emails, campaign_duration_hours, sample_subjects, risk_score
| sort - risk_scoreDetects inbound email campaigns from privacy-focused or free email providers targeting multiple internal recipients. Correlates sender domain type, recipient count, attachment/link presence, and burst timing to score persona-based contact campaigns consistent with T1585 account establishment precursor activity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate bulk notifications from SaaS vendors or third-party services using free email infrastructure
- Job applicants or external collaborators contacting multiple employees from personal Gmail/Yahoo accounts
- Security awareness testing platforms sending simulated phishing from free email domains
- Open source community contributors using ProtonMail contacting engineering teams about vulnerability disclosures
Other platforms for T1585
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Persona-Based Inbound Email Campaign from Privacy Provider
Expected signal: EmailEvents table in Microsoft Defender for Office 365 should show matching records; Message Trace output confirms telemetry is flowing for privacy-provider senders
- Test 2Test Network Detection for Social Media Account Registration Activity
Expected signal: Sysmon Event ID 22 (DNS Query) for registration domains; DeviceNetworkEvents ConnectionSuccess/ConnectionAttempted events for HTTPS connections to signup paths
- Test 3Simulate Cloud Account Creation for Persona Infrastructure (Azure CLI)
Expected signal: AuditLogs in Azure AD / Microsoft Sentinel: Operation=Add application or Invite external user, Category=ApplicationManagement or UserManagement. CloudAppEvents table should show account creation activity.
References (8)
- https://attack.mitre.org/techniques/T1585/
- https://attack.mitre.org/techniques/T1585/001/
- https://attack.mitre.org/techniques/T1585/002/
- https://attack.mitre.org/techniques/T1585/003/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://www.trendmicro.com/en_us/research/14/e/newscaster-an-iranian-threat-within-social-networks.html
- https://www.youtube.com/watch?v=G0rKrTCZ_Ek
Unlock Pro Content
Get the full detection package for T1585 including response playbook, investigation guide, and atomic red team tests.