title: Establish Accounts (T1585)
id: df00tech-t1585
status: experimental
description: "This detection identifies observable indicators of adversary account establishment activity within the target environment — specifically inbound communications from newly created or privacy-focused email accounts targeting multiple employees, suspicious authentication attempts from externally established personas, and endpoint connections to account creation infrastructure. Since T1585 is a PRE-ATT&CK technique occurring outside the victim network, detections focus on the downstream effects: spearphishing precursor activity from zero-history email accounts, bulk contact campaigns from free/disposable email providers, and network telemetry showing corporate endpoints researching persona-associated platforms. Coverage spans all three sub-techniques: social media (T1585.001), email (T1585.002), and cloud account (T1585.003) establishment."
references:
  - https://attack.mitre.org/techniques/T1585/
  - https://df00tech.com/detections/T1585
author: df00tech
date: 2026/04/13
tags:
  - attack.t1585
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate mass newsletters or marketing emails from Gmail/Yahoo senders — filter by adding known sender domains to allowlist
  - Corporate recruitment contacts from candidates using personal email accounts targeting HR or hiring managers
  - External security researchers or vendors using ProtonMail for legitimate privacy reasons contacting security teams
  - Conference or event organizers using free email providers sending bulk invitations to multiple employees
level: medium