T1586.002

Email Accounts

Adversaries may compromise existing email accounts to support operations. Unlike creating new accounts, compromising legitimate accounts leverages established trust relationships, bypasses reputation-based email filters, and enables thread hijacking. Compromise methods include credential phishing, password reuse from breach dumps, brute force, and insider access (buying credentials from employees). Threat actors including APT28, APT29, Kimsuky, OilRig, Star Blizzard, and LAPSUS$ have all used compromised email accounts to conduct spearphishing, harvest additional credentials, and acquire infrastructure. Because the compromise itself occurs externally, detection must focus on observable post-compromise behaviors within the organization: risky sign-in patterns, impossible travel, inbox rule manipulation, bulk sending anomalies, and thread hijacking indicators.

Microsoft Sentinel / Defender

kusto

// T1586.002 — Compromised Email Account Detection
// Detects post-compromise behaviors: impossible travel, risky sign-ins,
// inbox rule creation/forwarding setup, and bulk outbound email anomalies.

let LookbackWindow = 24h;
let ImpossibleTravelThreshold = 2; // distinct countries within 1 hour
let BulkSendThreshold = 50; // emails sent in 1 hour

// Branch 1: Risky or impossible travel sign-ins to email services
let RiskySignIns =
SigninLogs
| where TimeGenerated > ago(LookbackWindow)
| where ResultType == "0" // Successful sign-in only — compromise achieved
| where AppDisplayName has_any ("Exchange", "Outlook", "Office 365", "Microsoft 365", "Exchange Online", "OWA")
| where RiskLevelDuringSignIn in ("high", "medium") or RiskState == "atRisk"
    or IsRisky == true
| extend Country = tostring(Location.countryOrRegion)
| extend City = tostring(Location.city)
| project TimeGenerated, UserPrincipalName, IPAddress, Country, City,
          AppDisplayName, DeviceDetail, RiskLevelDuringSignIn, RiskState,
          RiskDetail, AutonomousSystemNumber, AuthenticationRequirement,
          ConditionalAccessStatus
| extend DetectionBranch = "RiskySignIn";

// Branch 2: Impossible travel — same account from multiple countries within 1 hour
let ImpossibleTravel =
SigninLogs
| where TimeGenerated > ago(LookbackWindow)
| where ResultType == "0"
| where AppDisplayName has_any ("Exchange", "Outlook", "Office 365", "Microsoft 365", "Exchange Online", "OWA")
| extend Country = tostring(Location.countryOrRegion)
| summarize
    Countries = make_set(Country),
    IPAddresses = make_set(IPAddress),
    SignInCount = count(),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
  by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(Countries) >= ImpossibleTravelThreshold
| extend DetectionBranch = "ImpossibleTravel"
| project FirstSeen, UserPrincipalName, Countries, IPAddresses, SignInCount, DetectionBranch;

// Branch 3: Inbox rule creation or email forwarding configured post-sign-in
let InboxRuleCreation =
OfficeActivity
| where TimeGenerated > ago(LookbackWindow)
| where Operation in (
    "New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
    "Set-Mailbox", "Set-MailboxAutoReplyConfiguration"
  )
| where Parameters has_any (
    "ForwardTo", "ForwardAsAttachmentTo", "RedirectTo",
    "DeleteMessage", "MarkAsRead", "MoveToFolder"
  )
| extend RuleParameters = tostring(Parameters)
| project TimeGenerated, UserId, ClientIP, Operation, RuleParameters,
          OfficeWorkload, OrganizationName
| extend DetectionBranch = "InboxRuleManipulation";

// Branch 4: High-volume email sending anomaly (bulk phishing from compromised account)
let BulkSending =
OfficeActivity
| where TimeGenerated > ago(LookbackWindow)
| where Operation == "Send"
| where OfficeWorkload == "Exchange"
| summarize
    EmailsSent = count(),
    UniqueRecipients = dcount(tostring(parse_json(tostring(Parameters))[0].Value)),
    FirstSend = min(TimeGenerated),
    LastSend = max(TimeGenerated)
  by UserId, ClientIP, bin(TimeGenerated, 1h)
| where EmailsSent >= BulkSendThreshold
| extend DetectionBranch = "BulkEmailSending"
| project FirstSend, UserId, ClientIP, EmailsSent, UniqueRecipients, DetectionBranch;

// Combine all branches
RiskySignIns
| union (ImpossibleTravel | project TimeGenerated = FirstSeen, UserPrincipalName, DetectionBranch, IPAddress = tostring(IPAddresses))
| union (InboxRuleCreation | project TimeGenerated, UserPrincipalName = UserId, DetectionBranch, IPAddress = ClientIP)
| union (BulkSending | project TimeGenerated = FirstSend, UserPrincipalName = UserId, DetectionBranch, IPAddress = ClientIP)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Application Log: Application Log Content Network Traffic: Network Traffic Content Microsoft 365 Unified Audit Log Azure AD Identity Protection

Required Tables

SigninLogs OfficeActivity

False Positives

Legitimate travel: employees using email from multiple countries in rapid succession (e.g. layovers, VPN with auto-selected exit nodes, or roaming with split-tunnel VPN)
IT administrators creating inbox rules or forwarding configurations on behalf of users during mailbox migrations, offboarding, or automated workflow setup
Marketing automation or bulk email campaigns sent through compromised-looking patterns when authorized tools (Mailchimp, HubSpot) relay via Exchange
Azure AD Identity Protection flagging sign-ins from corporate IP ranges not yet registered as named locations, generating false risk scores
Service accounts or shared mailboxes that legitimately sign in from multiple locations or send high volumes of transactional email

Splunk

spl

| union
[
  search index=o365 sourcetype="o365:management:activity" Operation IN ("UserLoggedIn", "MailboxLogin")
  | eval risk_country=mvfield(ClientInfo, "CountryCode")
  | eval detection_branch="SignInActivity"
]
[
  search index=o365 sourcetype="o365:management:activity" Operation IN ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "Set-Mailbox")
  | eval detection_branch="InboxRuleManipulation"
]
[
  search index=o365 sourcetype="o365:management:activity" Operation="Send" Workload="Exchange"
  | eval detection_branch="EmailSend"
]

```

// Actual primary query — risky sign-ins and inbox manipulation:

index=o365 sourcetype="o365:management:activity"
  (Operation IN ("UserLoggedIn", "MailboxLogin") OR
   Operation IN ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "Set-Mailbox") OR
   Operation="Send")
| eval user=coalesce(UserId, Actor{}.ID)
| eval src_ip=ClientIP
| eval operation=Operation
| eval workload=Workload
| eval parameters=Parameters

// Branch 1: Inbox rule manipulation (forwarding/deletion rules)
| eval inbox_rule_flag=if(
    (operation IN ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "Set-Mailbox")) AND
    (match(parameters, "(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeleteMessage|MarkAsRead)")),
    1, 0)

// Branch 2: Bulk sending anomaly — count sends per user per hour
| eval is_send=if(operation="Send" AND workload="Exchange", 1, 0)
| bin _time span=1h
| stats
    count(eval(is_send=1)) as emails_sent,
    values(src_ip) as src_ips,
    values(operation) as operations,
    max(inbox_rule_flag) as has_inbox_rule,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
  by user, _time
| eval bulk_send_flag=if(emails_sent >= 50, 1, 0)
| eval detection_score=has_inbox_rule + bulk_send_flag
| where detection_score > 0 OR has_inbox_rule=1
| eval detection_branches=if(has_inbox_rule=1, "InboxRuleManipulation ", "") . if(bulk_send_flag=1, "BulkEmailSending", "")
| table first_seen, user, src_ips, emails_sent, operations, has_inbox_rule, bulk_send_flag, detection_branches, detection_score
| sort - detection_score, - emails_sent

high severity medium confidence

Data Sources

Application Log: Application Log Content Microsoft 365 Unified Audit Log Office 365 Management Activity API

Required Sourcetypes

o365:management:activity

False Positives

Legitimate bulk email tools (newsletters, CRM systems) that relay through Exchange and generate high send counts per hour
IT administrators creating forwarding rules during mailbox migrations, employee offboarding, or shared mailbox configuration
Automated business workflows (ticketing systems, alert routing) that create inbox rules programmatically
Marketing or sales staff conducting legitimate email campaigns with high recipient counts
Service desk accounts that legitimately receive and process high volumes of inbound email with auto-routing rules

IBM QRadar (AQL)

sql

/* Branch 1: Inbox rule manipulation with forwarding or deletion parameters */
SELECT
  DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username AS user,
  sourceip AS src_ip,
  QIDNAME(qid) AS event_name,
  "UserAction" AS operation,
  "Parameters" AS rule_parameters,
  'InboxRuleManipulation' AS detection_branch
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Office 365', 'Microsoft Exchange')
  AND LOWER("UserAction") IN (
    'new-inboxrule', 'set-inboxrule', 'updateinboxrules',
    'set-mailbox', 'set-mailboxautoreplyconfiguration'
  )
  AND (
    LOWER("Parameters") LIKE '%forwardto%'
    OR LOWER("Parameters") LIKE '%forwardasattachmentto%'
    OR LOWER("Parameters") LIKE '%redirectto%'
    OR LOWER("Parameters") LIKE '%deletemessage%'
    OR LOWER("Parameters") LIKE '%markasread%'
  )
  AND LAST 24 HOURS

UNION

/* Branch 2: Impossible travel — same account, 2+ countries in 1-hour window */
SELECT
  DATEFORMAT(MIN(starttime)/1000, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username AS user,
  GROUP(DISTINCT sourceip) AS src_ips,
  COUNT(*) AS signin_count,
  COUNT(DISTINCT "CountryCode") AS distinct_countries,
  'ImpossibleTravel' AS detection_branch
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Office 365', 'Microsoft Azure Active Directory')
  AND (
    LOWER(QIDNAME(qid)) LIKE '%login%'
    OR LOWER(QIDNAME(qid)) LIKE '%logon%'
    OR LOWER("UserAction") IN ('userloggedin', 'mailboxlogin')
  )
  AND "ResultType" = '0'
  AND LAST 24 HOURS
GROUP BY
  username,
  DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH')
HAVING COUNT(DISTINCT "CountryCode") >= 2
ORDER BY distinct_countries DESC

high severity medium confidence

Data Sources

Microsoft Office 365 Microsoft Azure Active Directory

Required Tables

events

False Positives

Business travelers on multi-leg international flights who access corporate email during a layover and again after landing in a different country — the 1-hour window catches legitimate rapid-transit geography changes
IT administrators using a management jump server in a different country than their physical location, causing the source IP's geolocation to resolve to the admin country rather than the user's country
Automated compliance or eDiscovery workflows that programmatically create inbox rules with RedirectTo parameters to copy mail to legal hold mailboxes during litigation hold procedures

Sumo Logic CSE

sql

(_sourceCategory=o365 OR _sourceCategory=microsoft/office365 OR _sourceCategory=azure/o365)
| json field=_raw "Operation" as operation nodrop
| json field=_raw "UserId" as user_id nodrop
| json field=_raw "ClientIP" as client_ip nodrop
| json field=_raw "Parameters" as parameters nodrop
| json field=_raw "Workload" as workload nodrop
| where operation in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
                       "Set-Mailbox", "Set-MailboxAutoReplyConfiguration", "Send")
// Classify each event into detection branches
| eval is_inbox_rule = if(
    operation in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
                   "Set-Mailbox", "Set-MailboxAutoReplyConfiguration")
    AND matches(parameters, "(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeleteMessage|MarkAsRead)"),
    1, 0)
| eval is_send = if(operation = "Send" AND workload = "Exchange", 1, 0)
// Aggregate per user per 1-hour window
| timeslice 1h
| stats
    sum(is_inbox_rule) as inbox_rule_events,
    sum(is_send) as emails_sent,
    values(client_ip) as src_ips,
    values(operation) as operations,
    min(_messagetime) as first_seen,
    max(_messagetime) as last_seen
    by user_id, _timeslice
// Scoring: +1 per branch triggered
| eval bulk_send_flag = if(emails_sent >= 50, 1, 0)
| eval inbox_rule_flag = if(inbox_rule_events > 0, 1, 0)
| eval detection_score = bulk_send_flag + inbox_rule_flag
| where detection_score > 0
| eval detection_branches = concat(
    if(inbox_rule_flag = 1, "InboxRuleManipulation ", ""),
    if(bulk_send_flag = 1, "BulkEmailSending", "")
  )
| fields _timeslice, user_id, src_ips, emails_sent, inbox_rule_events,
          operations, detection_branches, detection_score
| sort by detection_score, emails_sent

high severity medium confidence

Data Sources

Microsoft Office 365 Audit Logs

Required Tables

_sourceCategory=o365 _sourceCategory=microsoft/office365

False Positives

Marketing, communications, or HR teams sending bulk internal announcements or newsletters through Exchange shared mailboxes, where 50+ recipients in a single hour is routine and expected
Automated monitoring or alerting systems (Nagios, PagerDuty connectors, ticketing systems) that route notifications through Exchange user mailboxes rather than dedicated service accounts, hitting the bulk-send threshold during incident storms
IT or legal teams creating inbox rules with RedirectTo parameters during employee offboarding or HR investigations — standard procedure in many organizations to preserve mail for compliance while the account is being wound down

Google Chronicle / SecOps

yaral

rule t1586_002_email_inbox_exfil_post_compromise {
  meta:
    author = "Detection Engineering"
    description = "Detects T1586.002 post-compromise pattern: successful M365 sign-in followed within 4h by inbox rule creation with email forwarding or deletion parameters, indicating adversary establishing exfiltration channel or persistence after account takeover"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1586.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1586/002/"
    platforms = "Office 365, Azure AD"

  events:
    // Anchor: successful sign-in to M365 email
    $signin.metadata.event_type = "USER_LOGIN"
    $signin.metadata.vendor_name = "Microsoft"
    $signin.extensions.auth.auth_result_type = "SUCCESS"
    $signin.metadata.product_name = "Office 365"
    $signin.principal.user.email_addresses = $user

    // Correlated: inbox rule with exfiltration parameters within 4h
    $rule_evt.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
    $rule_evt.metadata.vendor_name = "Microsoft"
    $rule_evt.metadata.product_name = "Office 365"
    $rule_evt.metadata.product_event_type in (
      "New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
      "Set-Mailbox", "Set-MailboxAutoReplyConfiguration"
    )
    re.regex(
      $rule_evt.target.resource.attribute.labels["Parameters"],
      `(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeleteMessage|MarkAsRead)`
    )
    $rule_evt.principal.user.email_addresses = $user

  match:
    $user over 4h

  condition:
    $signin and $rule_evt
}

rule t1586_002_impossible_travel_email_signin {
  meta:
    author = "Detection Engineering"
    description = "Detects impossible travel to Microsoft 365 email services — same account authenticates successfully from two different countries within 1 hour, a strong indicator of compromised credentials being used by an adversary in a foreign location while the victim continues normal activity"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1586.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1586/002/"

  events:
    $e1.metadata.event_type = "USER_LOGIN"
    $e1.metadata.vendor_name = "Microsoft"
    $e1.metadata.product_name = "Office 365"
    $e1.extensions.auth.auth_result_type = "SUCCESS"
    $e1.principal.user.email_addresses = $user
    $e1.principal.ip_geo_artifact.location.country_or_region = $country1

    $e2.metadata.event_type = "USER_LOGIN"
    $e2.metadata.vendor_name = "Microsoft"
    $e2.metadata.product_name = "Office 365"
    $e2.extensions.auth.auth_result_type = "SUCCESS"
    $e2.principal.user.email_addresses = $user
    $e2.principal.ip_geo_artifact.location.country_or_region = $country2

    $country1 != $country2
    $e1.principal.ip != $e2.principal.ip

  match:
    $user over 1h

  condition:
    $e1 and $e2
}

high severity high confidence

Data Sources

Microsoft Office 365 Audit Logs Azure Active Directory Sign-in Logs

Required Tables

microsoft_office_365 azure_ad

False Positives

Users connected to corporate VPN tunnels where the egress IP resolves to a country different from the user's physical location — VPN exit nodes in a foreign datacenter will trigger impossible travel against a legitimate same-country sign-in
Executives or global sales staff who legitimately travel between countries and access email during short international transit hubs, with the 1-hour window too tight for their actual travel pace
Compliance or legal teams using automated tools that call Set-Mailbox or Set-InboxRule via service accounts with ForwardAsAttachmentTo parameters as part of regulatory archiving to third-party platforms

CrowdStrike LogScale (CQL)

cql

// T1586.002 — Compromised Email Account: Inbox Rule Manipulation and Bulk Sending
// Requires Microsoft O365 audit logs ingested into LogScale with #dataset=o365_audit
// or equivalent tag set during log ingestion pipeline configuration

// ── Branch 1: Inbox rule creation with forwarding / exfiltration parameters ──
#dataset = o365_audit
| Operation in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
               "Set-Mailbox", "Set-MailboxAutoReplyConfiguration")
| regex(field=Parameters, regex="(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeleteMessage|MarkAsRead)", strict=false)
| groupBy(
    [UserId, Operation, ClientIP],
    function=[
      count(as=event_count),
      collect(Parameters, multival=true, limit=10, as=rule_params),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| rename(field=UserId, as=user)
| rename(field=ClientIP, as=src_ip)
| rename(field=Operation, as=operation)
| eval detection_branch := "InboxRuleManipulation"
| sort(event_count, order=desc, limit=500)

// ── Branch 2 (run separately): Bulk email sending anomaly >= 50 sends per hour ──
// Uncomment and run independently to detect BulkEmailSending branch:
//
// #dataset = o365_audit
// | Operation = "Send" AND Workload = "Exchange"
// | bucket(field=@timestamp, span=1h, as=time_bucket)
// | groupBy(
//     [UserId, ClientIP, time_bucket],
//     function=[
//       count(as=emails_sent),
//       min(@timestamp, as=first_send),
//       max(@timestamp, as=last_send)
//     ]
//   )
// | emails_sent >= 50
// | rename(field=UserId, as=user)
// | rename(field=ClientIP, as=src_ip)
// | eval detection_branch := "BulkEmailSending"
// | sort(emails_sent, order=desc, limit=500)

high severity medium confidence

Data Sources

Microsoft Office 365 Audit Logs (ingested into CrowdStrike LogScale)

Required Tables

#dataset=o365_audit

False Positives

Exchange hybrid migration tooling (e.g., Microsoft IMAP Migration, third-party PST import tools) that programmatically creates ForwardTo or RedirectTo inbox rules during cutover windows to ensure mail continuity while MX records propagate
Shared departmental mailboxes — such as support@, billing@, or hr@ — configured with forwarding rules to distribute incoming mail to team members, where the rule creation event maps to a personal UserId of the configuring admin
CRM platforms (Salesforce, HubSpot) or ticketing systems (Zendesk, Jira Service Management) that send bulk transactional notifications through Exchange when triggered by high-activity periods such as end-of-quarter deal closures or incident surges

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1586.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Email Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections