Detect Email Accounts in Sumo Logic CSE
Adversaries may compromise existing email accounts to support operations. Unlike creating new accounts, compromising legitimate accounts leverages established trust relationships, bypasses reputation-based email filters, and enables thread hijacking. Compromise methods include credential phishing, password reuse from breach dumps, brute force, and insider access (buying credentials from employees). Threat actors including APT28, APT29, Kimsuky, OilRig, Star Blizzard, and LAPSUS$ have all used compromised email accounts to conduct spearphishing, harvest additional credentials, and acquire infrastructure. Because the compromise itself occurs externally, detection must focus on observable post-compromise behaviors within the organization: risky sign-in patterns, impossible travel, inbox rule manipulation, bulk sending anomalies, and thread hijacking indicators.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Sub-technique
- T1586.002 Email Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/002/
Sumo Detection Query
(_sourceCategory=o365 OR _sourceCategory=microsoft/office365 OR _sourceCategory=azure/o365)
| json field=_raw "Operation" as operation nodrop
| json field=_raw "UserId" as user_id nodrop
| json field=_raw "ClientIP" as client_ip nodrop
| json field=_raw "Parameters" as parameters nodrop
| json field=_raw "Workload" as workload nodrop
| where operation in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
"Set-Mailbox", "Set-MailboxAutoReplyConfiguration", "Send")
// Classify each event into detection branches
| eval is_inbox_rule = if(
operation in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
"Set-Mailbox", "Set-MailboxAutoReplyConfiguration")
AND matches(parameters, "(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeleteMessage|MarkAsRead)"),
1, 0)
| eval is_send = if(operation = "Send" AND workload = "Exchange", 1, 0)
// Aggregate per user per 1-hour window
| timeslice 1h
| stats
sum(is_inbox_rule) as inbox_rule_events,
sum(is_send) as emails_sent,
values(client_ip) as src_ips,
values(operation) as operations,
min(_messagetime) as first_seen,
max(_messagetime) as last_seen
by user_id, _timeslice
// Scoring: +1 per branch triggered
| eval bulk_send_flag = if(emails_sent >= 50, 1, 0)
| eval inbox_rule_flag = if(inbox_rule_events > 0, 1, 0)
| eval detection_score = bulk_send_flag + inbox_rule_flag
| where detection_score > 0
| eval detection_branches = concat(
if(inbox_rule_flag = 1, "InboxRuleManipulation ", ""),
if(bulk_send_flag = 1, "BulkEmailSending", "")
)
| fields _timeslice, user_id, src_ips, emails_sent, inbox_rule_events,
operations, detection_branches, detection_score
| sort by detection_score, emails_sentSumo Logic detection for T1586.002 covering inbox rule manipulation with exfiltration parameters and bulk email sending anomalies. Parses O365 audit log JSON fields, classifies events into detection branches using eval, and aggregates per user in 1-hour timeslices. A scoring model assigns +1 for each branch triggered (inbox rule with forwarding params, ≥50 emails/hour). Alerts on any positive score. Mirrors the SPL detection structure and thresholds. Adjust _sourceCategory to match your O365 data ingestion path.
Data Sources
Required Tables
False Positives & Tuning
- Marketing, communications, or HR teams sending bulk internal announcements or newsletters through Exchange shared mailboxes, where 50+ recipients in a single hour is routine and expected
- Automated monitoring or alerting systems (Nagios, PagerDuty connectors, ticketing systems) that route notifications through Exchange user mailboxes rather than dedicated service accounts, hitting the bulk-send threshold during incident storms
- IT or legal teams creating inbox rules with RedirectTo parameters during employee offboarding or HR investigations — standard procedure in many organizations to preserve mail for compliance while the account is being wound down
Other platforms for T1586.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Inbox Rule Creation
Expected signal: Office 365 Unified Audit Log: Operation='New-InboxRule', UserId='[email protected]', Parameters containing 'ForwardTo' and '[email protected]'. Event appears in OfficeActivity table in Sentinel within ~15 minutes of creation. ClientIP will reflect the machine running the PowerShell session.
- Test 2Credential Spray Simulation Against Exchange Online
Expected signal: Azure AD SigninLogs: multiple entries with ResultType='50126' (invalid credentials) or '50055' for target UserPrincipalName from the executing machine's IP address. AppDisplayName will show 'Exchange Web Services' or 'Outlook'. AuthenticationProtocol will show 'Legacy' indicating Basic Auth. Failed attempts trigger Azure AD Identity Protection spray detection after threshold.
- Test 3Simulate Bulk Email Send from Compromised Account
Expected signal: OfficeActivity table: multiple Operation='Send' entries from [email protected] within a 1-hour window, UserId matching the test account, ClientIP matching the executing machine. Email count will exceed the BulkSendThreshold (50) for the hourly bucket, triggering the bulk sending branch.
- Test 4Verify Impossible Travel Detection Using VPN Geo-Shift
Expected signal: Azure AD SigninLogs: two entries for the test account within ~20 minutes showing different Location.countryOrRegion values (e.g. 'United States' and 'Germany'). ResultType='0' for both (successful). Azure AD Identity Protection may independently raise a 'impossibleTravel' risk detection within minutes.
References (10)
- https://attack.mitre.org/techniques/T1586/002/
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-officeactivity-table
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://services.google.com/fh/files/blogs/google_threat_horizons_report_#7_march_2022.pdf
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1586.002/T1586.002.md
- https://www.mandiant.com/resources/blog/apt29-microsoft-365
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
Unlock Pro Content
Get the full detection package for T1586.002 including response playbook, investigation guide, and atomic red team tests.