T1585 Sumo Logic CSE · Sumo

Detect Establish Accounts in Sumo Logic CSE

This detection identifies observable indicators of adversary account establishment activity within the target environment — specifically inbound communications from newly created or privacy-focused email accounts targeting multiple employees, suspicious authentication attempts from externally established personas, and endpoint connections to account creation infrastructure. Since T1585 is a PRE-ATT&CK technique occurring outside the victim network, detections focus on the downstream effects: spearphishing precursor activity from zero-history email accounts, bulk contact campaigns from free/disposable email providers, and network telemetry showing corporate endpoints researching persona-associated platforms. Coverage spans all three sub-techniques: social media (T1585.001), email (T1585.002), and cloud account (T1585.003) establishment.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=email* OR _sourceCategory=mail_gateway* OR _sourceCategory=o365*
| parse regex "(?:SenderAddress|sender|from_address|From)\s*[=:\"]+\s*(?<sender_address>[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})" nodrop
| parse regex "(?:RecipientAddress|recipient|to_address|To)\s*[=:\"]+\s*(?<recipient>[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})" nodrop
| parse regex "(?:MessageDirection|direction|DeliveryAction)\s*[=:\"]+\s*(?<email_direction>[a-zA-Z]+)" nodrop
| where email_direction matches "(?i)inbound"
| parse regex field=sender_address "@(?<sender_domain>[a-zA-Z0-9.\-]+)$" nodrop
| toLowerCase sender_domain
| where sender_domain in ("protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
    "cock.li", "disroot.org", "riseup.net", "mailfence.com",
    "guerrillamail.com", "temp-mail.org", "mailinator.com",
    "10minutemail.com", "throwam.com", "yopmail.com",
    "gmail.com", "yahoo.com", "hotmail.com", "outlook.com",
    "live.com", "icloud.com", "aol.com")
| parse regex "(?:AttachmentCount|attachment_count|has_attachment)\s*[=:\"]+\s*(?<attach_raw>[0-9a-zA-Z]+)" nodrop
| eval has_attachment = if (attach_raw matches "[1-9][0-9]*" or attach_raw matches "(?i)true", 1, 0)
| eval is_privacy_provider = if (sender_domain in (
    "protonmail.com", "proton.me", "tutanota.com", "tutamail.com",
    "cock.li", "disroot.org", "riseup.net", "mailfence.com",
    "guerrillamail.com", "temp-mail.org", "mailinator.com", "yopmail.com"), 1, 0)
| count as email_count, count_distinct(recipient) as targeted_users,
    sum(has_attachment) as attachment_emails,
    min(_messagetime) as first_contact_ms, max(_messagetime) as last_contact_ms,
    max(is_privacy_provider) as is_privacy_provider
    by sender_address, sender_domain
| eval campaign_duration_hours = round((last_contact_ms - first_contact_ms) / 3600000, 1)
| eval rs_targets = if (targeted_users >= 10, 40, if (targeted_users >= 5, 25, if (targeted_users >= 2, 10, 0)))
| eval rs_provider = if (is_privacy_provider == 1, 25, if (targeted_users >= 3, 15, 0))
| eval rs_attach = if (attachment_emails >= 3, 20, if (attachment_emails >= 1, 10, 0))
| eval rs_burst = if (email_count >= 5 and campaign_duration_hours <= 2, 15, 0)
| eval risk_score = rs_targets + rs_provider + rs_attach + rs_burst
| where risk_score >= 25
| eval first_contact = formatDate(toLong(first_contact_ms), "yyyy-MM-dd HH:mm:ss")
| eval last_contact = formatDate(toLong(last_contact_ms), "yyyy-MM-dd HH:mm:ss")
| fields sender_address, sender_domain, is_privacy_provider, email_count, targeted_users,
    attachment_emails, campaign_duration_hours, risk_score, first_contact, last_contact
| sort by risk_score desc
medium severity medium confidence

Sumo Logic detection query identifying inbound multi-recipient email campaigns from privacy-focused or free consumer email providers consistent with T1585 Establish Accounts precursor activity. Uses regex-based field extraction with nodrop to handle multiple log source formats (Exchange, O365, Proofpoint, Postfix). Applies the same weighted risk scoring as the reference KQL/SPL: targeting breadth, provider anonymity, attachment presence, and burst pattern. Requires email logs flowing to a _sourceCategory matching email*, mail_gateway*, or o365*. Field names in the parse regex patterns (SenderAddress, RecipientAddress, AttachmentCount) reflect common O365 and Exchange DSM output — adjust the parse patterns to match your specific log format. count_distinct() requires Sumo Logic 2023.1+ or Enterprise tier; on older deployments substitute with a two-pass join using a separate count_distinct subquery.

Data Sources

Microsoft Office 365 Management Activity via Sumo Logic O365 AppMicrosoft Exchange message tracking logs via Sumo Logic installed collectorProofpoint on Demand via Sumo Logic Proofpoint AppPostfix/Sendmail syslog via Sumo Logic syslog collector

Required Tables

_sourceCategory=email*_sourceCategory=mail_gateway*_sourceCategory=o365*

False Positives & Tuning

  • B2B partners or freelancers who exclusively use personal Gmail or ProtonMail accounts for business correspondence and regularly email multiple stakeholders within the same organisation
  • Subscription confirmation or double-opt-in workflows where one external service address delivers messages to multiple internal test accounts during QA — particularly if your team uses shared recipient aliases that expand to individual mailboxes
  • Penetration test or red team email campaigns using privacy providers to simulate spearphishing — validate with the security team calendar before adjusting thresholds
Download portable Sigma rule (.yml)

Other platforms for T1585

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Persona-Based Inbound Email Campaign from Privacy Provider

    Expected signal: EmailEvents table in Microsoft Defender for Office 365 should show matching records; Message Trace output confirms telemetry is flowing for privacy-provider senders

  2. Test 2Test Network Detection for Social Media Account Registration Activity

    Expected signal: Sysmon Event ID 22 (DNS Query) for registration domains; DeviceNetworkEvents ConnectionSuccess/ConnectionAttempted events for HTTPS connections to signup paths

  3. Test 3Simulate Cloud Account Creation for Persona Infrastructure (Azure CLI)

    Expected signal: AuditLogs in Azure AD / Microsoft Sentinel: Operation=Add application or Invite external user, Category=ApplicationManagement or UserManagement. CloudAppEvents table should show account creation activity.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1585 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1585.001Social Media AccountsT1585.002Email AccountsT1585.003Cloud AccountsT1566PhishingT1598Phishing for InformationT1583Acquire InfrastructureT1586Compromise AccountsT1587.003Digital CertificatesT1588.004Digital CertificatesT1589Gather Victim Identity Information

Same Tactic: Resource Development

Popular Detections