T1589.002 Email Addresses Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect Azure AD email address enumeration via sign-in log error analysis
// Error 50034 = UserAccountNotFound (username does not exist in tenant)
// Error 50126 = InvalidPasswordOrUsername (username exists but wrong credential)
// High ratio of 50034 errors with many unique UPNs from one IP = enumeration
let EnumerationThreshold = 10;
let TimeWindow = 1h;
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType in ("50034", "50053", "50055", "50056")
| where isnotempty(IPAddress)
| summarize
    UniqueUsernames = dcount(UserPrincipalName),
    AttemptCount = count(),
    UsernameSample = make_set(UserPrincipalName, 25),
    AppList = make_set(AppDisplayName, 10),
    Earliest = min(TimeGenerated),
    Latest = max(TimeGenerated)
    by IPAddress, ClientAppUsed, UserAgent, bin(TimeGenerated, 1h)
| where UniqueUsernames >= EnumerationThreshold
| extend DurationMinutes = datetime_diff('minute', Latest, Earliest) + 1
| extend EnumerationRatePerMin = round(toreal(UniqueUsernames) / toreal(DurationMinutes), 2)
| extend Verdict = case(
    UniqueUsernames >= 50, "High Confidence Enumeration",
    UniqueUsernames >= 20, "Moderate Enumeration",
    "Low-Level Enumeration"
)
| project TimeGenerated, IPAddress, ClientAppUsed, UserAgent, UniqueUsernames, AttemptCount, EnumerationRatePerMin, DurationMinutes, AppList, UsernameSample, Verdict, Earliest, Latest
| sort by UniqueUsernames desc

medium severity medium confidence

Data Sources

Azure Active Directory: Sign-in Logs Cloud Service: Cloud Service Authentication Microsoft Sentinel: SigninLogs table

Required Tables

SigninLogs

False Positives

Misconfigured identity federation or SSO systems repeatedly probing with malformed UPN formats across many users during bulk authentication failures
Penetration testing engagements against the tenant's Office 365 environment using legitimate enumeration tooling
Automated user provisioning or deprovisioning workflows that check account existence before creating or removing accounts, generating bursts of 50034 errors
Password reset portal integrations or helpdesk tools that validate email addresses against Azure AD at scale during employee onboarding events
Load-testing or integration testing of authentication flows using test email addresses that do not exist in the tenant

Splunk

spl

index=azure_ad OR index=o365 sourcetype="ms:aad:signin"
  (ResultType=50034 OR ResultType=50053 OR ResultType=50055 OR ResultType=50056)
| eval username=coalesce(UserPrincipalName, UserId)
| eval hour_bin=strftime(_time, "%Y-%m-%d %H:00")
| stats
    dc(username) as UniqueUsernames,
    count as AttemptCount,
    values(username) as UsernameSample,
    values(AppDisplayName) as AppList,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by ClientIP, ClientAppUsed, UserAgent, hour_bin
| where UniqueUsernames >= 10
| eval DurationMinutes=round((LastSeen - FirstSeen) / 60, 1)
| eval DurationMinutes=if(DurationMinutes < 1, 1, DurationMinutes)
| eval EnumerationRatePerMin=round(UniqueUsernames / DurationMinutes, 2)
| eval Verdict=case(
    UniqueUsernames >= 50, "High Confidence Enumeration",
    UniqueUsernames >= 20, "Moderate Enumeration",
    1=1, "Low-Level Enumeration"
  )
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table hour_bin, ClientIP, ClientAppUsed, UserAgent, UniqueUsernames, AttemptCount, EnumerationRatePerMin, DurationMinutes, Verdict, UsernameSample, AppList, FirstSeen, LastSeen
| sort - UniqueUsernames

medium severity medium confidence

Data Sources

Azure Active Directory: Sign-in Logs Splunk Add-on for Microsoft Cloud Services Cloud Service: Cloud Service Authentication

Required Sourcetypes

ms:aad:signin

False Positives

Misconfigured identity federation systems generating bulk 50034 errors during SSO failures across a large user population
Penetration testing or red team engagements targeting the Office 365 tenant with authorized enumeration tools
Automated provisioning workflows checking account existence before bulk user creation, particularly during HR system imports
Password reset portal integrations that validate email addresses against Azure AD at scale
Monitoring or SIEM integrations that test connectivity using synthetic user accounts that do not exist in the tenant

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=1h
  [authentication where event.dataset == "azure.signinlogs"
    and azure.signinlogs.properties.status.error_code in (50034, 50053, 50055, 50056)
    and source.ip != null
    and azure.signinlogs.properties.user_principal_name != null] with runs=10

high severity high confidence

Data Sources

Azure Active Directory Sign-in Logs via Elastic Azure integration Microsoft 365 Audit Logs

Required Tables

logs-azure.signinlogs-*

False Positives

Legitimate red team or penetration testing exercises targeting Azure AD authentication from authorized IP ranges that have not been allowlisted in detection thresholds
Misconfigured enterprise SSO connectors or ADFS proxies retrying authentication with stale user lists following a directory migration or UPN domain rename
Automated help desk tooling or IT provisioning scripts that iterate over large user lists to verify account status for bulk onboarding or offboarding operations

IBM QRadar (AQL)

sql

SELECT
  sourceip AS ClientIP,
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:00:00') AS hour_bin,
  COUNT(DISTINCT username) AS UniqueUsernames,
  COUNT(*) AS AttemptCount,
  MIN(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS FirstSeen,
  MAX(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS LastSeen,
  CASE
    WHEN COUNT(DISTINCT username) >= 50 THEN 'High Confidence Enumeration'
    WHEN COUNT(DISTINCT username) >= 20 THEN 'Moderate Enumeration'
    ELSE 'Low-Level Enumeration'
  END AS Verdict
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Active Directory', 'Microsoft Office 365')
  AND CATEGORYNAME(category) LIKE '%Authentication%'
  AND (
    eventpayload ILIKE '%"errorCode":50034%'
    OR eventpayload ILIKE '%"errorCode":50053%'
    OR eventpayload ILIKE '%"errorCode":50055%'
    OR eventpayload ILIKE '%"errorCode":50056%'
    OR eventpayload ILIKE '%"resultType":"50034"%'
    OR eventpayload ILIKE '%"resultType":"50053"%'
    OR eventpayload ILIKE '%"resultType":"50055"%'
    OR eventpayload ILIKE '%"resultType":"50056"%'
  )
  AND LAST 24 HOURS
GROUP BY sourceip, hour_bin
HAVING COUNT(DISTINCT username) >= 10
ORDER BY UniqueUsernames DESC

high severity medium confidence

Data Sources

Azure Active Directory Microsoft Office 365

Required Tables

events

False Positives

Enterprise ADFS or Entra ID proxy services routing authentication on behalf of many users through a single shared egress IP, making one source appear to generate high unique-username volumes
IT identity lifecycle management or ITSM platforms that programmatically verify account existence across large user populations from a dedicated service IP as part of provisioning workflows
Shared corporate VPN or NAT egress points where many users simultaneously authenticate to cloud services, causing a single external IP to accumulate high distinct-username counts organically

Sumo Logic CSE

sql

(_sourceCategory=azure/signinlogs OR _sourceCategory=azure/activedirectory OR _sourceCategory=o365/audit)
| json field=_raw "properties.status.errorCode" as errorCode nodrop
| json field=_raw "properties.userPrincipalName" as username nodrop
| json field=_raw "properties.ipAddress" as clientIP nodrop
| json field=_raw "properties.appDisplayName" as appName nodrop
| json field=_raw "properties.userAgent" as userAgent nodrop
| where errorCode in ("50034", "50053", "50055", "50056")
| where !isNull(clientIP) and clientIP != ""
| where !isNull(username) and username != ""
| timeslice 1h
| count_distinct(username) as UniqueUsernames, count as AttemptCount by clientIP, userAgent, _timeslice
| where UniqueUsernames >= 10
| eval Verdict = if(UniqueUsernames >= 50, "High Confidence Enumeration", if(UniqueUsernames >= 20, "Moderate Enumeration", "Low-Level Enumeration"))
| eval EnumerationRatePerMin = round(UniqueUsernames / 60, 2)
| sort by UniqueUsernames desc
| fields _timeslice, clientIP, userAgent, UniqueUsernames, AttemptCount, EnumerationRatePerMin, Verdict

high severity high confidence

Data Sources

Azure Active Directory Sign-in Logs Office 365 Audit Logs

Required Tables

azure/signinlogs azure/activedirectory o365/audit

False Positives

Bulk user provisioning or deprovisioning workflows executed from a management server that verify account existence for large batches of new hires, generating concentrated bursts of 50034 errors
Third-party SaaS identity brokers or privileged access management platforms authenticating on behalf of many users from a single service account IP, producing high unique-username counts without adversarial intent
Security awareness or phishing simulation vendors probing email address validity as part of campaign scoping, generating controlled authentication error volumes from known service IP ranges

Google Chronicle / SecOps

yaral

rule azure_ad_email_enumeration_t1589_002 {
  meta:
    author = "Detection Engineering"
    description = "Detects email address enumeration via Azure AD sign-in error codes indicating probing of non-existent or invalid accounts from a single source IP. Targets T1589.002 pre-attack reconnaissance activity."
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1589.002"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"
    false_positives = "Enterprise SSO proxies, ADFS, red team activity, bulk provisioning workflows"

  events:
    $login.metadata.event_type = "USER_LOGIN"
    $login.metadata.vendor_name = "Microsoft"
    $login.security_result.action = "BLOCK"
    $login.principal.ip = $src_ip
    $login.target.user.userid = $target_user
    re.regex($login.security_result.description, `\b(50034|50053|50055|50056)\b`)

  match:
    $src_ip over 1h

  outcome:
    $unique_users = count_distinct($target_user)
    $total_attempts = count($login)
    $sample_targets = array_distinct($target_user)

  condition:
    #login >= 10
}

high severity high confidence

Data Sources

Google Chronicle UDM Azure Active Directory via Chronicle ingestion pipeline

Required Tables

UDM events (event_type: USER_LOGIN, vendor_name: Microsoft)

False Positives

Enterprise Azure AD Connect or Entra ID sync services generating authentication validation bursts during scheduled directory synchronization cycles from a dedicated connector server IP
Cloud-based PAM solutions or password managers authenticating on behalf of a large user population from a single service IP, producing high-volume unique-account authentication patterns that exceed the threshold
Internal IT governance tooling performing scheduled account existence checks for license compliance or identity certification campaigns, generating predictable bursts of 50034 errors from known management IPs

CrowdStrike LogScale (CQL)

cql

// Azure AD email enumeration — CrowdStrike Falcon LogScale
// Requires Azure AD sign-in logs ingested via Falcon Log Collector or LogScale SIEM Connector
#repo = "azure_ad" OR #repo = "o365"
| resultType in ["50034", "50053", "50055", "50056"]
| ipAddress != ""
| userPrincipalName != ""
| groupBy(
    [ipAddress, clientAppUsed, userAgent, bucket := timeBucket(span="1h")],
    function=[
      count(field=userPrincipalName, distinct=true, as=UniqueUsernames),
      count(as=AttemptCount),
      collect([userPrincipalName], limit=25, as=UsernameSample),
      collect([appDisplayName], limit=10, as=AppList),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| UniqueUsernames >= 10
| DurationMs := LastSeen - FirstSeen
| DurationMinutes := if(DurationMs < 60000, 1, round(DurationMs / 60000, 1))
| EnumerationRatePerMin := round(UniqueUsernames / DurationMinutes, 2)
| case {
    UniqueUsernames >= 50 | Verdict := "High Confidence Enumeration" ;
    UniqueUsernames >= 20 | Verdict := "Moderate Enumeration" ;
    * | Verdict := "Low-Level Enumeration"
  }
| sort(UniqueUsernames, order=desc)
| select([bucket, ipAddress, clientAppUsed, userAgent, UniqueUsernames, AttemptCount, EnumerationRatePerMin, DurationMinutes, Verdict, UsernameSample, AppList])

high severity medium confidence

Data Sources

Azure Active Directory Sign-in Logs via CrowdStrike Falcon LogScale Connector

Required Tables

azure_ad LogScale repository o365 LogScale repository

False Positives

Microsoft Entra Connect or hybrid join configuration services generating authentication validation requests for multiple accounts from a dedicated connector server during scheduled sync windows, producing high unique-username bursts
Authorized red team or penetration testing engagements targeting Azure AD infrastructure from external IP ranges that have not been explicitly excluded from detection thresholds prior to the exercise
Third-party identity governance or access certification platforms performing periodic account validity sweeps across large user populations from a fixed service account IP as part of quarterly recertification campaigns

Email Addresses

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections