Detect Email Accounts in IBM QRadar
Adversaries may compromise existing email accounts to support operations. Unlike creating new accounts, compromising legitimate accounts leverages established trust relationships, bypasses reputation-based email filters, and enables thread hijacking. Compromise methods include credential phishing, password reuse from breach dumps, brute force, and insider access (buying credentials from employees). Threat actors including APT28, APT29, Kimsuky, OilRig, Star Blizzard, and LAPSUS$ have all used compromised email accounts to conduct spearphishing, harvest additional credentials, and acquire infrastructure. Because the compromise itself occurs externally, detection must focus on observable post-compromise behaviors within the organization: risky sign-in patterns, impossible travel, inbox rule manipulation, bulk sending anomalies, and thread hijacking indicators.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Sub-technique
- T1586.002 Email Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/002/
QRadar Detection Query
/* Branch 1: Inbox rule manipulation with forwarding or deletion parameters */
SELECT
DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH:mm:ss') AS event_time,
username AS user,
sourceip AS src_ip,
QIDNAME(qid) AS event_name,
"UserAction" AS operation,
"Parameters" AS rule_parameters,
'InboxRuleManipulation' AS detection_branch
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Office 365', 'Microsoft Exchange')
AND LOWER("UserAction") IN (
'new-inboxrule', 'set-inboxrule', 'updateinboxrules',
'set-mailbox', 'set-mailboxautoreplyconfiguration'
)
AND (
LOWER("Parameters") LIKE '%forwardto%'
OR LOWER("Parameters") LIKE '%forwardasattachmentto%'
OR LOWER("Parameters") LIKE '%redirectto%'
OR LOWER("Parameters") LIKE '%deletemessage%'
OR LOWER("Parameters") LIKE '%markasread%'
)
AND LAST 24 HOURS
UNION
/* Branch 2: Impossible travel — same account, 2+ countries in 1-hour window */
SELECT
DATEFORMAT(MIN(starttime)/1000, 'yyyy-MM-dd HH:mm:ss') AS event_time,
username AS user,
GROUP(DISTINCT sourceip) AS src_ips,
COUNT(*) AS signin_count,
COUNT(DISTINCT "CountryCode") AS distinct_countries,
'ImpossibleTravel' AS detection_branch
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Office 365', 'Microsoft Azure Active Directory')
AND (
LOWER(QIDNAME(qid)) LIKE '%login%'
OR LOWER(QIDNAME(qid)) LIKE '%logon%'
OR LOWER("UserAction") IN ('userloggedin', 'mailboxlogin')
)
AND "ResultType" = '0'
AND LAST 24 HOURS
GROUP BY
username,
DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH')
HAVING COUNT(DISTINCT "CountryCode") >= 2
ORDER BY distinct_countries DESCTwo-branch AQL UNION detection for T1586.002. Branch 1 queries Microsoft Office 365 log sources for inbox rule creation and mailbox modification events where the Parameters field contains forwarding, redirection, or deletion keywords — the primary post-compromise exfiltration-channel setup behavior. Branch 2 detects impossible travel by grouping successful email-service logon events by account and hourly window, flagging accounts with 2+ distinct country codes, matching the KQL ImpossibleTravel branch. Both branches use LOGSOURCETYPENAME for portability across QRadar deployments without hardcoded log source type IDs.
Data Sources
Required Tables
False Positives & Tuning
- Business travelers on multi-leg international flights who access corporate email during a layover and again after landing in a different country — the 1-hour window catches legitimate rapid-transit geography changes
- IT administrators using a management jump server in a different country than their physical location, causing the source IP's geolocation to resolve to the admin country rather than the user's country
- Automated compliance or eDiscovery workflows that programmatically create inbox rules with RedirectTo parameters to copy mail to legal hold mailboxes during litigation hold procedures
Other platforms for T1586.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Inbox Rule Creation
Expected signal: Office 365 Unified Audit Log: Operation='New-InboxRule', UserId='[email protected]', Parameters containing 'ForwardTo' and '[email protected]'. Event appears in OfficeActivity table in Sentinel within ~15 minutes of creation. ClientIP will reflect the machine running the PowerShell session.
- Test 2Credential Spray Simulation Against Exchange Online
Expected signal: Azure AD SigninLogs: multiple entries with ResultType='50126' (invalid credentials) or '50055' for target UserPrincipalName from the executing machine's IP address. AppDisplayName will show 'Exchange Web Services' or 'Outlook'. AuthenticationProtocol will show 'Legacy' indicating Basic Auth. Failed attempts trigger Azure AD Identity Protection spray detection after threshold.
- Test 3Simulate Bulk Email Send from Compromised Account
Expected signal: OfficeActivity table: multiple Operation='Send' entries from [email protected] within a 1-hour window, UserId matching the test account, ClientIP matching the executing machine. Email count will exceed the BulkSendThreshold (50) for the hourly bucket, triggering the bulk sending branch.
- Test 4Verify Impossible Travel Detection Using VPN Geo-Shift
Expected signal: Azure AD SigninLogs: two entries for the test account within ~20 minutes showing different Location.countryOrRegion values (e.g. 'United States' and 'Germany'). ResultType='0' for both (successful). Azure AD Identity Protection may independently raise a 'impossibleTravel' risk detection within minutes.
References (10)
- https://attack.mitre.org/techniques/T1586/002/
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-officeactivity-table
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://services.google.com/fh/files/blogs/google_threat_horizons_report_#7_march_2022.pdf
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1586.002/T1586.002.md
- https://www.mandiant.com/resources/blog/apt29-microsoft-365
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
Unlock Pro Content
Get the full detection package for T1586.002 including response playbook, investigation guide, and atomic red team tests.