title: Email Account (T1087.003)
id: df00tech-t1087-003
status: experimental
description: "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session. Threat actors including Magic Hound, TA505, RedCurl, and Sandworm Team have leveraged this technique using tools like MailSniper, Ruler, and custom malware to harvest email account information for reconnaissance, phishing, and lateral movement."
references:
  - https://attack.mitre.org/techniques/T1087/003/
  - https://df00tech.com/detections/T1087.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1087.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Exchange administrators legitimately running Get-GlobalAddressList or Get-Recipient cmdlets for address book management or auditing
  - "Email migration tools (MigrationWiz, Bit Titan, IMAPMIG) accessing PST/OST files or querying address lists during migration projects"
  - "Backup software (Veeam Backup for Microsoft 365, Barracuda) accessing Outlook data files as part of scheduled backup jobs"
  - IT helpdesk automation scripts using Exchange PowerShell to look up user mailbox information for troubleshooting
  - Third-party GAL synchronization tools used in hybrid Exchange environments accessing address list data
level: medium