title: Email Accounts (T1586.002)
id: df00tech-t1586-002
status: experimental
description: "Adversaries may compromise existing email accounts to support operations. Unlike creating new accounts, compromising legitimate accounts leverages established trust relationships, bypasses reputation-based email filters, and enables thread hijacking. Compromise methods include credential phishing, password reuse from breach dumps, brute force, and insider access (buying credentials from employees). Threat actors including APT28, APT29, Kimsuky, OilRig, Star Blizzard, and LAPSUS$ have all used compromised email accounts to conduct spearphishing, harvest additional credentials, and acquire infrastructure. Because the compromise itself occurs externally, detection must focus on observable post-compromise behaviors within the organization: risky sign-in patterns, impossible travel, inbox rule manipulation, bulk sending anomalies, and thread hijacking indicators."
references:
  - https://attack.mitre.org/techniques/T1586/002/
  - https://df00tech.com/detections/T1586.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1586.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate travel: employees using email from multiple countries in rapid succession (e.g. layovers, VPN with auto-selected exit nodes, or roaming with split-tunnel VPN)"
  - "IT administrators creating inbox rules or forwarding configurations on behalf of users during mailbox migrations, offboarding, or automated workflow setup"
  - "Marketing automation or bulk email campaigns sent through compromised-looking patterns when authorized tools (Mailchimp, HubSpot) relay via Exchange"
  - "Azure AD Identity Protection flagging sign-ins from corporate IP ranges not yet registered as named locations, generating false risk scores"
  - Service accounts or shared mailboxes that legitimately sign in from multiple locations or send high volumes of transactional email
level: high