Email Accounts

Information

• Name: Email Accounts

• ID: T1586.002

• Tactics: TA0042

• Technique: T1586

Introduction

Email Accounts (T1586.002) is a sub-technique within the MITRE ATT&CK framework categorized under the broader technique "Compromise Accounts" (T1586). This sub-technique specifically involves adversaries obtaining unauthorized access to legitimate email accounts. Attackers leverage these compromised email accounts to perform malicious activities such as spearphishing, internal reconnaissance, lateral movement, and exfiltration of sensitive information. Email accounts are highly valuable targets due to their widespread use, inherent trustworthiness, and the sensitive nature of the information typically stored or communicated through them.

Deep Dive Into Technique

Adversaries employ various methods to compromise email accounts, including:

• Credential Harvesting and Phishing:

  • Attackers frequently use phishing emails designed to trick users into providing their email credentials on fake login pages.

  • Techniques such as credential dumping, keylogging, or social engineering may also be utilized.

• Password Spraying and Brute Force Attacks:

  • Attackers attempt to gain access by systematically guessing passwords or by using automated tools to test common passwords across multiple email accounts.

  • Password spraying involves trying a few common passwords against many accounts to avoid account lockouts.

• Credential Stuffing:

  • Attackers leverage previously compromised credentials from data breaches and attempt to reuse them across multiple email services.

• Exploitation of Vulnerabilities:

  • Attackers may exploit vulnerabilities in email servers or webmail applications to gain unauthorized access to accounts.

Once an email account is compromised, attackers can:

• Conduct internal spearphishing campaigns to compromise additional accounts or escalate privileges.

• Perform internal reconnaissance to identify valuable targets, sensitive information, or organizational structure.

• Exfiltrate sensitive data or confidential communications.

• Initiate lateral movement through password resets or exploiting trust relationships.

• Establish persistent access using email forwarding rules, mailbox delegation, or OAuth application grants.

When this Technique is Usually Used

Attackers typically leverage compromised email accounts during various stages of cyber-attacks, including:

• Initial Access:

  • Using compromised email accounts to send spearphishing emails internally or externally, facilitating further compromises.

• Execution and Persistence:

  • Establishing persistent access through mailbox delegation, forwarding rules, or OAuth application grants to maintain long-term access to sensitive communications.

• Reconnaissance and Discovery:

  • Conducting internal reconnaissance to identify high-value targets, sensitive information, or organizational hierarchy.

• Lateral Movement:

  • Leveraging internal trust to escalate privileges, compromise other accounts, or gain access to additional resources within the network.

• Exfiltration:

  • Using legitimate email accounts to discreetly exfiltrate sensitive data, intellectual property, or confidential communications.

How this Technique is Usually Detected

Detection of compromised email accounts typically involves a combination of technical monitoring, security analytics, and user behavior analysis:

• Anomalous Login Patterns:

  • Monitoring for unusual login times, locations, IP addresses, or devices.

  • Alerting on logins from geographically distant or unusual locations within short timeframes.

• Email Forwarding Rules and Delegation Changes:

  • Monitoring email accounts for newly created forwarding rules or mailbox delegation changes.

  • Auditing OAuth application grants or unusual third-party application access to email accounts.

• Email Traffic and Behavior Analysis:

  • Detecting anomalous email sending patterns, such as mass emailing, unusual recipients, or unexpected attachments.

  • Monitoring for internal spearphishing attempts or suspicious communications.

• Credential Usage Monitoring:

  • Detecting password spraying or brute force attempts through monitoring failed login attempts and account lockouts.

  • Monitoring for credential stuffing attempts by correlating login attempts with known compromised credential databases.

• Indicators of Compromise (IoCs):

  • Unusual mailbox rules (forwarding, deletion, archiving).

  • Unexpected mailbox delegation or permissions changes.

  • Suspicious OAuth tokens and third-party app integrations.

  • Login attempts from unusual or suspicious IP addresses.

  • Presence of phishing emails or suspicious URLs within email communications.

Security tools and platforms commonly used include:

• Email security gateways (Proofpoint, Mimecast, Cisco Email Security).

• Security Information and Event Management (SIEM) solutions (Splunk, IBM QRadar, Elastic Security).

• Endpoint Detection and Response (EDR) and User and Entity Behavior Analytics (UEBA) solutions (CrowdStrike Falcon, Microsoft Defender for Identity, Exabeam).

• Cloud Access Security Brokers (CASB) (Microsoft Cloud App Security, Netskope, McAfee MVISION Cloud).

Why it is Important to Detect This Technique

Early detection of compromised email accounts is critical due to the significant impacts and risks associated with unauthorized email access:

• Sensitive Information Exposure:

  • Compromised email accounts often contain sensitive data, including intellectual property, financial information, personally identifiable information (PII), and confidential communications.

• Lateral Movement and Privilege Escalation:

  • Email account compromise can facilitate lateral movement, enabling attackers to escalate privileges, compromise additional accounts, and gain broader access to network resources.

• Reputational Damage:

  • Attackers may use compromised email accounts to launch spearphishing campaigns internally or externally, damaging organizational reputation and trust.

• Financial Losses:

  • Compromised email accounts can facilitate business email compromise (BEC) attacks, leading to significant financial losses through fraudulent wire transfers, invoice manipulation, or payment redirection.

• Compliance and Regulatory Risks:

  • Unauthorized access to email accounts containing regulated data (e.g., GDPR, HIPAA, PCI DSS) can result in compliance breaches, regulatory fines, and legal consequences.

• Operational Disruption:

  • Attackers may disrupt email communications or use compromised accounts to spread malware or ransomware, causing operational outages and productivity losses.

Examples

Real-world examples illustrating the use of compromised email accounts include:

• Business Email Compromise (BEC) Attacks:

  • Attackers compromise executive or financial department email accounts, sending fraudulent payment instructions or invoice modifications leading to significant financial losses.

  • Example: In 2019, Toyota Boshoku Corporation lost approximately $37 million due to a BEC scam initiated through compromised email accounts.

• APT29 (Cozy Bear) and SolarWinds Attack:

  • APT29 leveraged compromised email accounts as part of their extensive espionage campaign, performing internal reconnaissance and lateral movement through legitimate communications.

  • Attackers utilized compromised email accounts to distribute malicious payloads internally, gaining persistent access and exfiltrating sensitive information.

• Operation Cloud Hopper:

  • APT10 targeted managed service providers (MSPs) and cloud service providers, compromising email accounts to conduct spearphishing, lateral movement, and exfiltration of sensitive client data.

  • Attackers leveraged compromised email accounts to maintain persistent access and evade detection by blending malicious activities with legitimate email communications.

• Iranian Threat Actor Phosphorus (APT35):

  • Leveraged compromised email accounts to conduct spearphishing campaigns targeting government officials, journalists, and activists, facilitating further compromises and espionage activities.

  • Attackers established persistent access through mailbox rules, forwarding sensitive emails to external attacker-controlled accounts.

These examples highlight the critical importance of protecting email accounts and rapidly detecting unauthorized access to mitigate potential damage and risks.