Description
Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing.(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to Acquire Infrastructure for follow-on purposes.(Citation: Free Trial PurpleUrchin)
Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains).(Citation: Mandiant APT1)
To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (19)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has created email accounts for phishing operations.(Citation: KISA Operation Muzabi)(Citation: Mandia... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) has created email accounts to interact with victims, including for phishing purposes.(Citatio... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has established email accounts using fake personas for spearphishing operations.(Citation: IBM IT... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.(Citation: ... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has created new email accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021) |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has created email accounts used in ransomware negotiations.(Citation: CISA Medusa Group Medusa R... |
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has registered impersonation email accounts to spoof experts in a particular field or individua... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has created email accounts to use in spearphishing operations.(Citation: TAG APT42) |
| G1012 | CURIUM | [CURIUM](https://attack.mitre.org/groups/G1012) has created dedicated email accounts for use with tools such as [IMAPLoader](https://attack.mitre.org/... |
| G0122 | Silent Librarian | [Silent Librarian](https://attack.mitre.org/groups/G0122) has established e-mail accounts to receive e-mails forwarded from compromised accounts.(Cita... |
| G1011 | EXOTIC LILY | [EXOTIC LILY](https://attack.mitre.org/groups/G1011) has created e-mail accounts to spoof targeted organizations.(Citation: Google EXOTIC LILY March 2... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) has created email accounts for later use in social engineering, phishing, and when registering domains.(... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has leveraged ProtonMail email addresses in ransom notes when delivering [Ryuk](https://attack.... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has established email accounts for use in domain registration including for ProtonMail addresses.(Cita... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has created email accounts to communicate with their ransomware victims, to include providing p... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has created email accounts that mimic legitimate organizations for its spearphishing operations... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has created email accounts to send threatening messages to victims to include ‘Handala_Team[@]... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has created fake email accounts to correspond with social media accounts, fake LinkedIn ... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has created new email accounts for spearphishing operations.(Citation: Kaspersky ThreatNeedle F... |
References
- Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware Found Abusing Disposable Email Address Service. Retrieved October 13, 2020.
- Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Frequently Asked Questions
What is T1585.002 (Email Accounts)?
T1585.002 is a MITRE ATT&CK technique named 'Email Accounts'. It belongs to the Resource Development tactic(s). Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phis...
How can T1585.002 be detected?
Detection of T1585.002 (Email Accounts) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1585.002?
There are 1 documented mitigations for T1585.002. Key mitigations include: Pre-compromise.
Which threat groups use T1585.002?
Known threat groups using T1585.002 include: Kimsuky, Moonstone Sleet, Magic Hound, Mustang Panda, Leviathan, Medusa Group, Star Blizzard, APT42.