T1586.002 CrowdStrike LogScale · LogScale

Detect Email Accounts in CrowdStrike LogScale

Adversaries may compromise existing email accounts to support operations. Unlike creating new accounts, compromising legitimate accounts leverages established trust relationships, bypasses reputation-based email filters, and enables thread hijacking. Compromise methods include credential phishing, password reuse from breach dumps, brute force, and insider access (buying credentials from employees). Threat actors including APT28, APT29, Kimsuky, OilRig, Star Blizzard, and LAPSUS$ have all used compromised email accounts to conduct spearphishing, harvest additional credentials, and acquire infrastructure. Because the compromise itself occurs externally, detection must focus on observable post-compromise behaviors within the organization: risky sign-in patterns, impossible travel, inbox rule manipulation, bulk sending anomalies, and thread hijacking indicators.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1586 Compromise Accounts
Sub-technique
T1586.002 Email Accounts
Canonical reference
https://attack.mitre.org/techniques/T1586/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1586.002 — Compromised Email Account: Inbox Rule Manipulation and Bulk Sending
// Requires Microsoft O365 audit logs ingested into LogScale with #dataset=o365_audit
// or equivalent tag set during log ingestion pipeline configuration

// ── Branch 1: Inbox rule creation with forwarding / exfiltration parameters ──
#dataset = o365_audit
| Operation in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
               "Set-Mailbox", "Set-MailboxAutoReplyConfiguration")
| regex(field=Parameters, regex="(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeleteMessage|MarkAsRead)", strict=false)
| groupBy(
    [UserId, Operation, ClientIP],
    function=[
      count(as=event_count),
      collect(Parameters, multival=true, limit=10, as=rule_params),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| rename(field=UserId, as=user)
| rename(field=ClientIP, as=src_ip)
| rename(field=Operation, as=operation)
| eval detection_branch := "InboxRuleManipulation"
| sort(event_count, order=desc, limit=500)

// ── Branch 2 (run separately): Bulk email sending anomaly >= 50 sends per hour ──
// Uncomment and run independently to detect BulkEmailSending branch:
//
// #dataset = o365_audit
// | Operation = "Send" AND Workload = "Exchange"
// | bucket(field=@timestamp, span=1h, as=time_bucket)
// | groupBy(
//     [UserId, ClientIP, time_bucket],
//     function=[
//       count(as=emails_sent),
//       min(@timestamp, as=first_send),
//       max(@timestamp, as=last_send)
//     ]
//   )
// | emails_sent >= 50
// | rename(field=UserId, as=user)
// | rename(field=ClientIP, as=src_ip)
// | eval detection_branch := "BulkEmailSending"
// | sort(emails_sent, order=desc, limit=500)
high severity medium confidence

CrowdStrike LogScale CQL detection for T1586.002 targeting O365 audit data ingested into LogScale. Branch 1 (active) filters for inbox rule creation and mailbox modification events where the Parameters field matches forwarding, redirection, or deletion keywords — the primary post-compromise exfiltration-channel behavior. Uses regex() for flexible pattern matching and groupBy() to aggregate events per user/operation/IP with full parameter collection. Branch 2 (commented) detects bulk sending anomalies using bucket() for hourly time windows. Tag your O365 ingestion pipeline with #dataset=o365_audit or update the filter to match your actual tag schema.

Data Sources

Microsoft Office 365 Audit Logs (ingested into CrowdStrike LogScale)

Required Tables

#dataset=o365_audit

False Positives & Tuning

  • Exchange hybrid migration tooling (e.g., Microsoft IMAP Migration, third-party PST import tools) that programmatically creates ForwardTo or RedirectTo inbox rules during cutover windows to ensure mail continuity while MX records propagate
  • Shared departmental mailboxes — such as support@, billing@, or hr@ — configured with forwarding rules to distribute incoming mail to team members, where the rule creation event maps to a personal UserId of the configuring admin
  • CRM platforms (Salesforce, HubSpot) or ticketing systems (Zendesk, Jira Service Management) that send bulk transactional notifications through Exchange when triggered by high-activity periods such as end-of-quarter deal closures or incident surges
Download portable Sigma rule (.yml)

Other platforms for T1586.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Compromised Account Inbox Rule Creation

    Expected signal: Office 365 Unified Audit Log: Operation='New-InboxRule', UserId='[email protected]', Parameters containing 'ForwardTo' and '[email protected]'. Event appears in OfficeActivity table in Sentinel within ~15 minutes of creation. ClientIP will reflect the machine running the PowerShell session.

  2. Test 2Credential Spray Simulation Against Exchange Online

    Expected signal: Azure AD SigninLogs: multiple entries with ResultType='50126' (invalid credentials) or '50055' for target UserPrincipalName from the executing machine's IP address. AppDisplayName will show 'Exchange Web Services' or 'Outlook'. AuthenticationProtocol will show 'Legacy' indicating Basic Auth. Failed attempts trigger Azure AD Identity Protection spray detection after threshold.

  3. Test 3Simulate Bulk Email Send from Compromised Account

    Expected signal: OfficeActivity table: multiple Operation='Send' entries from [email protected] within a 1-hour window, UserId matching the test account, ClientIP matching the executing machine. Email count will exceed the BulkSendThreshold (50) for the hourly bucket, triggering the bulk sending branch.

  4. Test 4Verify Impossible Travel Detection Using VPN Geo-Shift

    Expected signal: Azure AD SigninLogs: two entries for the test account within ~20 minutes showing different Location.countryOrRegion values (e.g. 'United States' and 'Germany'). ResultType='0' for both (successful). Azure AD Identity Protection may independently raise a 'impossibleTravel' risk detection within minutes.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1586.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1586Compromise Accounts

Related Sub-techniques

T1586.001Social Media AccountsT1586.003Cloud Accounts

Related Techniques

T1586Compromise AccountsT1566.002Spearphishing LinkT1566.001Spearphishing AttachmentT1598Phishing for InformationT1583.001DomainsT1110.003Password SprayingT1110.001Password GuessingT1078.004Cloud AccountsT1114.003Email Forwarding RuleT1114.002Remote Email CollectionT1534Internal Spearphishing

Same Tactic: Resource Development

Popular Detections