T1589.002 IBM QRadar · QRadar

Detect Email Addresses in IBM QRadar

Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may gather email addresses from publicly accessible sources such as social media, company websites, and leaked credential databases. Additionally, adversaries may actively enumerate valid email addresses by probing authentication services — for example, querying the Microsoft GetCredentialType API endpoint or Exchange Autodiscover to determine whether a given address is a valid account in Office 365 or on-premises Exchange environments. Gathered email addresses enable spearphishing campaigns, credential brute force attacks, business email compromise, and social engineering operations.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1589 Gather Victim Identity Information
Sub-technique
T1589.002 Email Addresses
Canonical reference
https://attack.mitre.org/techniques/T1589/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip AS ClientIP,
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:00:00') AS hour_bin,
  COUNT(DISTINCT username) AS UniqueUsernames,
  COUNT(*) AS AttemptCount,
  MIN(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS FirstSeen,
  MAX(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS LastSeen,
  CASE
    WHEN COUNT(DISTINCT username) >= 50 THEN 'High Confidence Enumeration'
    WHEN COUNT(DISTINCT username) >= 20 THEN 'Moderate Enumeration'
    ELSE 'Low-Level Enumeration'
  END AS Verdict
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Active Directory', 'Microsoft Office 365')
  AND CATEGORYNAME(category) LIKE '%Authentication%'
  AND (
    eventpayload ILIKE '%"errorCode":50034%'
    OR eventpayload ILIKE '%"errorCode":50053%'
    OR eventpayload ILIKE '%"errorCode":50055%'
    OR eventpayload ILIKE '%"errorCode":50056%'
    OR eventpayload ILIKE '%"resultType":"50034"%'
    OR eventpayload ILIKE '%"resultType":"50053"%'
    OR eventpayload ILIKE '%"resultType":"50055"%'
    OR eventpayload ILIKE '%"resultType":"50056"%'
  )
  AND LAST 24 HOURS
GROUP BY sourceip, hour_bin
HAVING COUNT(DISTINCT username) >= 10
ORDER BY UniqueUsernames DESC
high severity medium confidence

Detects email address enumeration against Azure Active Directory in IBM QRadar by querying the events table for Azure AD and Office 365 log sources containing authentication failure error codes 50034, 50053, 50055, and 50056 in the event payload. Groups results by source IP and hourly bucket using AQL aggregation with HAVING to surface IPs that probed 10 or more unique usernames within an hour. Searches both nested errorCode and top-level resultType JSON fields to handle format variations across ingestion paths. Applies a three-tier confidence verdict via CASE expression.

Data Sources

Azure Active DirectoryMicrosoft Office 365

Required Tables

events

False Positives & Tuning

  • Enterprise ADFS or Entra ID proxy services routing authentication on behalf of many users through a single shared egress IP, making one source appear to generate high unique-username volumes
  • IT identity lifecycle management or ITSM platforms that programmatically verify account existence across large user populations from a dedicated service IP as part of provisioning workflows
  • Shared corporate VPN or NAT egress points where many users simultaneously authenticate to cloud services, causing a single external IP to accumulate high distinct-username counts organically
Download portable Sigma rule (.yml)

Other platforms for T1589.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure AD Email Enumeration via GetCredentialType API (PowerShell)

    Expected signal: Sysmon Event ID 1: PowerShell.exe process with CommandLine containing 'GetCredentialType' and 'login.microsoftonline.com'. Sysmon Event ID 3: Outbound network connections from powershell.exe to login.microsoftonline.com (TCP 443). Proxy/web filter logs: HTTP POST to login.microsoftonline.com/common/GetCredentialType with PowerShell User-Agent. DeviceNetworkEvents in MDE: InitiatingProcessFileName=powershell.exe, RemoteUrl containing GetCredentialType.

  2. Test 2Azure AD Email Enumeration via AADInternals Module

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'AADInternals' and 'UserEnumerationAsOutsider'. Sysmon Event ID 3: Network connections to login.microsoftonline.com and related Microsoft AAD endpoints. PowerShell ScriptBlock Log Event ID 4104 capturing the full module invocation. Windows Security Event ID 4688: Process creation for powershell.exe with command line auditing enabled. Proxy logs: HTTP requests with AADInternals User-Agent string to Microsoft authentication endpoints.

  3. Test 3Email Enumeration via Sign-in Attempt with Non-Existent Accounts (Generates SigninLogs 50034)

    Expected signal: Azure AD SigninLogs: 10 entries with ResultType=50034 (UserAccountNotFound) for each probed address, all from the same source IP. These entries are visible in the Azure Portal under Azure AD > Sign-in logs and in Microsoft Sentinel's SigninLogs table within 5-15 minutes. Field ClientAppUsed will show 'Other clients'.

  4. Test 4OSINT Email Harvesting Simulation via Python Requests (LinkedIn/Web Scraping Pattern)

    Expected signal: Sysmon Event ID 1: python3.exe process creation with CommandLine containing 'theHarvester' User-Agent string. Sysmon Event ID 3: Network connections from python3.exe to target hosts over TCP 443/80. DeviceNetworkEvents in MDE: InitiatingProcessFileName=python3.exe, RemoteUrl matching target sites. Proxy logs: HTTP GET requests with theHarvester User-Agent string — this User-Agent string is well-known and often blocked/alerted by web proxies.

  5. Test 5Exchange Autodiscover Email Validation Probe (curl)

    Expected signal: Sysmon Event ID 1: curl.exe process creation with CommandLine containing 'autodiscover' and target email addresses. Sysmon Event ID 3: Outbound network connections from curl.exe to autodiscover.targetdomain.com over TCP 443. Exchange IIS Access Logs (W3SVC): POST requests to /autodiscover/autodiscover.xml with 401 response codes, source IP, and User-Agent 'curl/*'. Windows Security Event ID 4625 (Logon Failure): if Basic Authentication is attempted against Exchange.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1589.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1589Gather Victim Identity Information

Related Sub-techniques

T1589.001CredentialsT1589.003Employee Names

Related Techniques

T1589Gather Victim Identity InformationT1589.001CredentialsT1593.001Social MediaT1594Search Victim-Owned WebsitesT1595.002Vulnerability ScanningT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1110.003Password SprayingT1110.004Credential StuffingT1586.002Email Accounts

Same Tactic: Reconnaissance

Popular Detections