Detect Email Accounts in Google Chronicle
Adversaries may compromise existing email accounts to support operations. Unlike creating new accounts, compromising legitimate accounts leverages established trust relationships, bypasses reputation-based email filters, and enables thread hijacking. Compromise methods include credential phishing, password reuse from breach dumps, brute force, and insider access (buying credentials from employees). Threat actors including APT28, APT29, Kimsuky, OilRig, Star Blizzard, and LAPSUS$ have all used compromised email accounts to conduct spearphishing, harvest additional credentials, and acquire infrastructure. Because the compromise itself occurs externally, detection must focus on observable post-compromise behaviors within the organization: risky sign-in patterns, impossible travel, inbox rule manipulation, bulk sending anomalies, and thread hijacking indicators.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Sub-technique
- T1586.002 Email Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/002/
YARA-L Detection Query
rule t1586_002_email_inbox_exfil_post_compromise {
meta:
author = "Detection Engineering"
description = "Detects T1586.002 post-compromise pattern: successful M365 sign-in followed within 4h by inbox rule creation with email forwarding or deletion parameters, indicating adversary establishing exfiltration channel or persistence after account takeover"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1586.002"
mitre_attack_url = "https://attack.mitre.org/techniques/T1586/002/"
platforms = "Office 365, Azure AD"
events:
// Anchor: successful sign-in to M365 email
$signin.metadata.event_type = "USER_LOGIN"
$signin.metadata.vendor_name = "Microsoft"
$signin.extensions.auth.auth_result_type = "SUCCESS"
$signin.metadata.product_name = "Office 365"
$signin.principal.user.email_addresses = $user
// Correlated: inbox rule with exfiltration parameters within 4h
$rule_evt.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
$rule_evt.metadata.vendor_name = "Microsoft"
$rule_evt.metadata.product_name = "Office 365"
$rule_evt.metadata.product_event_type in (
"New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
"Set-Mailbox", "Set-MailboxAutoReplyConfiguration"
)
re.regex(
$rule_evt.target.resource.attribute.labels["Parameters"],
`(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeleteMessage|MarkAsRead)`
)
$rule_evt.principal.user.email_addresses = $user
match:
$user over 4h
condition:
$signin and $rule_evt
}
rule t1586_002_impossible_travel_email_signin {
meta:
author = "Detection Engineering"
description = "Detects impossible travel to Microsoft 365 email services — same account authenticates successfully from two different countries within 1 hour, a strong indicator of compromised credentials being used by an adversary in a foreign location while the victim continues normal activity"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1586.002"
mitre_attack_url = "https://attack.mitre.org/techniques/T1586/002/"
events:
$e1.metadata.event_type = "USER_LOGIN"
$e1.metadata.vendor_name = "Microsoft"
$e1.metadata.product_name = "Office 365"
$e1.extensions.auth.auth_result_type = "SUCCESS"
$e1.principal.user.email_addresses = $user
$e1.principal.ip_geo_artifact.location.country_or_region = $country1
$e2.metadata.event_type = "USER_LOGIN"
$e2.metadata.vendor_name = "Microsoft"
$e2.metadata.product_name = "Office 365"
$e2.extensions.auth.auth_result_type = "SUCCESS"
$e2.principal.user.email_addresses = $user
$e2.principal.ip_geo_artifact.location.country_or_region = $country2
$country1 != $country2
$e1.principal.ip != $e2.principal.ip
match:
$user over 1h
condition:
$e1 and $e2
}Two Chronicle YARA-L 2.0 rules covering T1586.002. Rule 1 (email_inbox_exfil_post_compromise) correlates a successful O365 sign-in with inbox rule creation containing forwarding or deletion parameters within a 4-hour match window, capturing the complete compromise-then-exfil-setup kill chain. Rule 2 (impossible_travel_email_signin) detects the same account authenticating from two distinct countries within 1 hour by correlating two USER_LOGIN events in the same match window. Both rules use UDM field paths appropriate for Microsoft O365 ingestion in Chronicle.
Data Sources
Required Tables
False Positives & Tuning
- Users connected to corporate VPN tunnels where the egress IP resolves to a country different from the user's physical location — VPN exit nodes in a foreign datacenter will trigger impossible travel against a legitimate same-country sign-in
- Executives or global sales staff who legitimately travel between countries and access email during short international transit hubs, with the 1-hour window too tight for their actual travel pace
- Compliance or legal teams using automated tools that call Set-Mailbox or Set-InboxRule via service accounts with ForwardAsAttachmentTo parameters as part of regulatory archiving to third-party platforms
Other platforms for T1586.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Inbox Rule Creation
Expected signal: Office 365 Unified Audit Log: Operation='New-InboxRule', UserId='[email protected]', Parameters containing 'ForwardTo' and '[email protected]'. Event appears in OfficeActivity table in Sentinel within ~15 minutes of creation. ClientIP will reflect the machine running the PowerShell session.
- Test 2Credential Spray Simulation Against Exchange Online
Expected signal: Azure AD SigninLogs: multiple entries with ResultType='50126' (invalid credentials) or '50055' for target UserPrincipalName from the executing machine's IP address. AppDisplayName will show 'Exchange Web Services' or 'Outlook'. AuthenticationProtocol will show 'Legacy' indicating Basic Auth. Failed attempts trigger Azure AD Identity Protection spray detection after threshold.
- Test 3Simulate Bulk Email Send from Compromised Account
Expected signal: OfficeActivity table: multiple Operation='Send' entries from [email protected] within a 1-hour window, UserId matching the test account, ClientIP matching the executing machine. Email count will exceed the BulkSendThreshold (50) for the hourly bucket, triggering the bulk sending branch.
- Test 4Verify Impossible Travel Detection Using VPN Geo-Shift
Expected signal: Azure AD SigninLogs: two entries for the test account within ~20 minutes showing different Location.countryOrRegion values (e.g. 'United States' and 'Germany'). ResultType='0' for both (successful). Azure AD Identity Protection may independently raise a 'impossibleTravel' risk detection within minutes.
References (10)
- https://attack.mitre.org/techniques/T1586/002/
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-officeactivity-table
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://services.google.com/fh/files/blogs/google_threat_horizons_report_#7_march_2022.pdf
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1586.002/T1586.002.md
- https://www.mandiant.com/resources/blog/apt29-microsoft-365
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
Unlock Pro Content
Get the full detection package for T1586.002 including response playbook, investigation guide, and atomic red team tests.