Description
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
Platforms
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.(Citation... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used Powershell to discover email accounts.(Citation: DFIR Report APT35 ProxyShell March 2022... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has collected information about email accounts.(Citation: group-ib_redcurl1)(Citation: group-ib_redcu... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc a... |
Associated Software (8)
| ID | Name | Type | Context |
|---|---|---|---|
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can parse Outlook .pst files to extract e-mail addresses.(Citation: ESET Grandoreiro April 2020... |
| S0093 | Backdoor.Oldrea | Malware | [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) collects address book information from Outlook.(Citation: Symantec Dragonfly) |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) collects email addresses from Outlook.(Citation: Trend Micro Trickbot Nov 2018) |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.(Citation: BiZone Lizar May... |
| S0358 | Ruler | Tool | [Ruler](https://attack.mitre.org/software/S0358) can be used to enumerate Exchange users and dump the GAL.(Citation: SensePost Ruler GitHub) |
| S0413 | MailSniper | Tool | [MailSniper](https://attack.mitre.org/software/S0413) can be used to obtain account names from Exchange and Office 365 using the <code>Get-GlobalAddre... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Em... |
| S0635 | BoomBox | Malware | [BoomBox](https://attack.mitre.org/software/S0635) can execute an LDAP query to discover e-mail accounts for domain users.(Citation: MSTIC Nobelium To... |
References
- Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019.
- Google. (n.d.). Retrieved March 16, 2021.
- Microsoft. (2020, February 7). Address lists in Exchange Server. Retrieved March 26, 2020.
- Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6, 2019.
Frequently Asked Questions
What is T1087.003 (Email Account)?
T1087.003 is a MITRE ATT&CK technique named 'Email Account'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address L...
How can T1087.003 be detected?
Detection of T1087.003 (Email Account) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1087.003?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1087.003?
Known threat groups using T1087.003 include: TA505, Magic Hound, RedCurl, Sandworm Team.