title: Email Addresses (T1589.002) id: df00tech-t1589-002 status: experimental description: "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may gather email addresses from publicly accessible sources such as social media, company websites, and leaked credential databases. Additionally, adversaries may actively enumerate valid email addresses by probing authentication services — for example, querying the Microsoft GetCredentialType API endpoint or Exchange Autodiscover to determine whether a given address is a valid account in Office 365 or on-premises Exchange environments. Gathered email addresses enable spearphishing campaigns, credential brute force attacks, business email compromise, and social engineering operations." references: - https://attack.mitre.org/techniques/T1589/002/ - https://df00tech.com/detections/T1589.002 author: df00tech date: 2026/04/13 tags: - attack.t1589.002 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: product: azure detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - Misconfigured identity federation or SSO systems repeatedly probing with malformed UPN formats across many users during bulk authentication failures - "Penetration testing engagements against the tenant's Office 365 environment using legitimate enumeration tooling" - "Automated user provisioning or deprovisioning workflows that check account existence before creating or removing accounts, generating bursts of 50034 errors" - Password reset portal integrations or helpdesk tools that validate email addresses against Azure AD at scale during employee onboarding events - Load-testing or integration testing of authentication flows using test email addresses that do not exist in the tenant level: medium