Description
Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.
Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: HackersArise Email)(Citation: CNET Leaks) Email addresses could also be enumerated via more active means (i.e. Active Scanning), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.(Citation: GitHub Office 365 User Enumeration)(Citation: Azure Active Directory Reconnaisance)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Email Accounts), and/or initial access (ex: Phishing or Brute Force via External Remote Services).
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) gathered victim email information in advance of phishing operations for targeted attacks.(Citation... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) gathered victim email address information for follow-on phishing activity.(Citation: Microsof... |
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used spoofed company emails that were acquired from email clients on previously infected hosts to t... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has targeted the personal emails of key network and IT staff at victim organizations.(Citation: ... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) collected email addresses belonging to various departments of a targeted organization which wer... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has collected e-mail addresses for users they intended to target.(Citation: Volexity Exchange Maraude... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has identified high-value email accounts in academia, journalism, NGO's, foreign policy, and nati... |
| G0122 | Silent Librarian | [Silent Librarian](https://attack.mitre.org/groups/G0122) has collected e-mail addresses from targeted organizations from open Internet searches.(Cita... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has collected valid email addresses including personal accounts that were subsequently used for spear... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has targeted executives, human resources staff, and IT personnel for spearphishing.(Citation: SecureWo... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has gathered employee email addresses, including personal accounts, for social engineering and initia... |
| G1011 | EXOTIC LILY | [EXOTIC LILY](https://attack.mitre.org/groups/G1011) has gathered targeted individuals' e-mail addresses through open source research and website cont... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has collected e-mail addresses for activists and bloggers in order to target them with spyware.(Citatio... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has obtained valid emails addresses while conducting research against target organizations that... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0677 | AADInternals | Tool | [AADInternals](https://attack.mitre.org/software/S0677) can check for the existence of user email addresses using public Microsoft APIs.(Citation: AAD... |
References
- Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.
- gremwell. (2020, March 24). Office 365 User Enumeration. Retrieved May 27, 2022.
- GrimHacker. (2017, July 24). Office365 ActiveSync Username Enumeration. Retrieved December 9, 2021.
- Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020.
- Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.
Frequently Asked Questions
What is T1589.002 (Email Addresses)?
T1589.002 is a MITRE ATT&CK technique named 'Email Addresses'. It belongs to the Reconnaissance tactic(s). Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adve...
How can T1589.002 be detected?
Detection of T1589.002 (Email Addresses) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1589.002?
There are 1 documented mitigations for T1589.002. Key mitigations include: Pre-compromise.
Which threat groups use T1589.002?
Known threat groups using T1589.002 include: Saint Bear, Moonstone Sleet, TA551, Volt Typhoon, Lazarus Group, HAFNIUM, Magic Hound, Silent Librarian.