Description
Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information, Phishing, or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).
A variety of methods exist for compromising email accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or Phishing emails may evade reputation-based email filtering rules.
Adversaries can use a compromised email account to hijack existing email threads with targets of interest.
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used compromised email accounts to send credential phishing emails.(Citation: Google TAG Ukraine Th... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has compromised personal email accounts through the use of legitimate credentials and gathered ad... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has compromised legitimate email accounts to use in their spear-phishing operations.(Citation: ... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has compromised email accounts to send phishing emails.(Citation: ClearSky OilRig Jan 2017) |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used compromised accounts to send spearphishing emails.(Citation: SecureWorks August 2019) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has compromised email accounts to send spearphishing e-mails.(Citation: VirusBulletin Kimsuky October... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used compromised emails, including one belonging to an Israel-based technology reseller, to deliver... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has regularly used compromised email accounts in spearphishing campaigns.(Citation: Recorded Future ... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has payed employees, suppliers, and business partners of target organizations for credentials.(Citati... |
| G0136 | IndigoZebra | [IndigoZebra](https://attack.mitre.org/groups/G0136) has compromised legitimate email accounts to use in their spearphishing operations.(Citation: Che... |
| G1037 | TA577 | [TA577](https://attack.mitre.org/groups/G1037) has sent thread hijacked messages from compromised emails.(Citation: Latrodectus APR 2024) |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has compromised email accounts to further enable phishing campaigns and taken control of dormant accoun... |
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has used compromised email accounts to conduct spearphishing against contacts of the original ... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has compromised email accounts to conduct social engineering attacks.(Citation: CISA AA21-200A APT4... |
References
- Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.
- Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.
Frequently Asked Questions
What is T1586.002 (Email Accounts)?
T1586.002 is a MITRE ATT&CK technique named 'Email Accounts'. It belongs to the Resource Development tactic(s). Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing fo...
How can T1586.002 be detected?
Detection of T1586.002 (Email Accounts) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1586.002?
There are 1 documented mitigations for T1586.002. Key mitigations include: Pre-compromise.
Which threat groups use T1586.002?
Known threat groups using T1586.002 include: APT28, Magic Hound, Mustang Panda, OilRig, HEXANE, Kimsuky, WIRTE, APT-C-36.