title: Email Accounts (T1585.002)
id: df00tech-t1585-002
status: experimental
description: "Adversaries may create email accounts that can be used during targeting. Accounts created with email providers — including free webmail services, privacy-focused providers, and disposable email services — are leveraged for phishing operations (T1566), phishing for information (T1598), infrastructure acquisition (T1583.001), and social engineering. Adversaries cultivate personas by pairing email accounts with social media presence to increase campaign credibility. Threat actors including Kimsuky, APT1, Magic Hound, Star Blizzard, APT42, EXOTIC LILY, CURIUM, Leviathan, and Wizard Spider have created dedicated email accounts for spearphishing, ransomware negotiations, domain registration, and target impersonation. Use of disposable services and privacy providers such as ProtonMail reduces physical attribution risk. Detection pivots on observable usage patterns when adversary-created accounts contact the organization — inbound authentication failures, role-based impersonation via free email providers, and targeting of high-value employees."
references:
  - https://attack.mitre.org/techniques/T1585/002/
  - https://df00tech.com/detections/T1585.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1585.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate vendors or contractors who communicate via ProtonMail or other privacy-focused email providers for confidentiality reasons
  - "Automated service notifications from platforms that use role-based sender names at free email providers (e.g., noreply@gmail.com for small SaaS services)"
  - Job applicants submitting resumes to HR addresses using disposable email services to protect their personal address
  - Security researchers or third-party pen testers using anonymous email providers during authorized assessments — verify against active engagement records
  - International partners or small businesses that rely on free email providers due to lack of corporate email infrastructure
level: medium