title: Gather Victim Identity Information (T1589)
id: df00tech-t1589
status: experimental
description: "This detection identifies adversary attempts to enumerate victim identity information—credentials, email addresses, and employee names—through active probing of authentication services and monitoring of downstream indicators of OSINT-driven targeting. Since T1589 is a PRE-ATT&CK technique occurring largely outside victim infrastructure, detection focuses on second-order observable signals: anomalous username enumeration via Azure AD sign-in failures with differential error codes (e.g., UserNameDoesNotExist vs. InvalidPassword), Self-Service Password Reset (SSPR) flow abuse, high-volume authentication probing from single sources against multiple distinct accounts, and MFA method enumeration patterns. Groups such as LAPSUS$, Scattered Spider, and HEXANE have exploited these mechanisms to build target identity lists before launching phishing, credential stuffing, or social engineering campaigns."
references:
  - https://attack.mitre.org/techniques/T1589/
  - https://df00tech.com/detections/T1589
author: df00tech
date: 2026/04/13
tags:
  - attack.t1589
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Penetration testing engagements performing authorized username enumeration against Azure AD tenants
  - "Misconfigured applications cycling through user lists for automated login (e.g., legacy SSO, misconfigured service accounts)"
  - Employee self-service helpdesk tools that probe SSPR status for multiple users during bulk account operations
  - Password expiration notification systems contacting multiple accounts in rapid succession
  - IT onboarding scripts performing bulk account validation during directory synchronization
level: high