Detect Email Accounts in Elastic Security
Adversaries may compromise existing email accounts to support operations. Unlike creating new accounts, compromising legitimate accounts leverages established trust relationships, bypasses reputation-based email filters, and enables thread hijacking. Compromise methods include credential phishing, password reuse from breach dumps, brute force, and insider access (buying credentials from employees). Threat actors including APT28, APT29, Kimsuky, OilRig, Star Blizzard, and LAPSUS$ have all used compromised email accounts to conduct spearphishing, harvest additional credentials, and acquire infrastructure. Because the compromise itself occurs externally, detection must focus on observable post-compromise behaviors within the organization: risky sign-in patterns, impossible travel, inbox rule manipulation, bulk sending anomalies, and thread hijacking indicators.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Sub-technique
- T1586.002 Email Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/002/
Elastic Detection Query
/* T1586.002 — Risky sign-in to M365 email followed by inbox rule exfiltration setup within 4h */
sequence by user.name with maxspan=4h
[authentication where event.dataset == "azure.signinlogs"
and event.outcome == "success"
and (
azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium") or
azure.signinlogs.properties.is_risky == true or
azure.signinlogs.properties.risk_state == "atRisk"
)
and wildcard(azure.signinlogs.properties.app_display_name,
"*Exchange*", "*Outlook*", "*Office 365*", "*Microsoft 365*", "*OWA*"
)]
[any where event.dataset == "o365.audit"
and event.action in (
"New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
"Set-Mailbox", "Set-MailboxAutoReplyConfiguration"
)
and wildcard(o365.audit.Parameters,
"*ForwardTo*", "*ForwardAsAttachmentTo*", "*RedirectTo*",
"*DeleteMessage*", "*MarkAsRead*"
)]Detects T1586.002 post-compromise behaviors using a two-event EQL sequence: a risky or anomalous Azure AD sign-in to M365 email services (Exchange, Outlook, OWA) followed within 4 hours by creation of an inbox rule containing exfiltration parameters (forwarding, redirection, auto-deletion). Correlates by user.name across azure.signinlogs and o365.audit data streams. Catches the canonical post-compromise kill chain: threat actor authenticates with stolen creds → immediately sets up forwarding rule for persistent access or exfiltration. Covers the same risky-sign-in and inbox-rule-manipulation branches as the KQL detection.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate employees setting up ForwardTo rules to redirect mail to a personal assistant or delegate mailbox — the forwarding parameter match fires regardless of destination, so internal-to-internal forwarding rules will trigger
- Users accessing corporate email via a personal VPN or travel proxy from an unfamiliar geolocation, causing Azure Identity Protection to elevate risk level despite the sign-in being legitimate
- IT helpdesk or migration scripts using Set-Mailbox cmdlets in bulk during Exchange Online migrations or tenant consolidations, generating inbox rule events at scale across many accounts
Other platforms for T1586.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Inbox Rule Creation
Expected signal: Office 365 Unified Audit Log: Operation='New-InboxRule', UserId='[email protected]', Parameters containing 'ForwardTo' and '[email protected]'. Event appears in OfficeActivity table in Sentinel within ~15 minutes of creation. ClientIP will reflect the machine running the PowerShell session.
- Test 2Credential Spray Simulation Against Exchange Online
Expected signal: Azure AD SigninLogs: multiple entries with ResultType='50126' (invalid credentials) or '50055' for target UserPrincipalName from the executing machine's IP address. AppDisplayName will show 'Exchange Web Services' or 'Outlook'. AuthenticationProtocol will show 'Legacy' indicating Basic Auth. Failed attempts trigger Azure AD Identity Protection spray detection after threshold.
- Test 3Simulate Bulk Email Send from Compromised Account
Expected signal: OfficeActivity table: multiple Operation='Send' entries from [email protected] within a 1-hour window, UserId matching the test account, ClientIP matching the executing machine. Email count will exceed the BulkSendThreshold (50) for the hourly bucket, triggering the bulk sending branch.
- Test 4Verify Impossible Travel Detection Using VPN Geo-Shift
Expected signal: Azure AD SigninLogs: two entries for the test account within ~20 minutes showing different Location.countryOrRegion values (e.g. 'United States' and 'Germany'). ResultType='0' for both (successful). Azure AD Identity Protection may independently raise a 'impossibleTravel' risk detection within minutes.
References (10)
- https://attack.mitre.org/techniques/T1586/002/
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-officeactivity-table
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://services.google.com/fh/files/blogs/google_threat_horizons_report_#7_march_2022.pdf
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1586.002/T1586.002.md
- https://www.mandiant.com/resources/blog/apt29-microsoft-365
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
Unlock Pro Content
Get the full detection package for T1586.002 including response playbook, investigation guide, and atomic red team tests.