Email Addresses
Email Addresses [T1589.002]
Information
Introduction
Email Addresses [T1589.002] is a sub-technique of the MITRE ATT&CK framework under the broader technique "Gather Victim Identity Information" (T1589). It describes the adversary's actions to collect email addresses associated with target organizations or individuals. Attackers commonly use harvested email addresses for various malicious purposes, including phishing attacks, spear-phishing campaigns, credential harvesting, social engineering, and targeted malware delivery. Collecting email addresses is typically an early reconnaissance step, enabling attackers to identify potential entry points and facilitate further compromise.
Deep Dive Into Technique
Attackers employ various methods and tools to obtain email addresses associated with their targets. These methods include automated and manual processes:
Web Scraping:
Attackers use automated web-crawling tools and scripts to scrape websites, forums, social media platforms, and public directories for email addresses.
Tools such as Scrapy, Beautiful Soup, and custom Python scripts are frequently utilized.
Open Source Intelligence (OSINT):
Attackers leverage OSINT tools and platforms to identify email addresses available in public data breaches, leaks, or dumps.
Common OSINT tools include Maltego, SpiderFoot, theHarvester, Hunter.io, and Shodan.
Social Media Enumeration:
Attackers gather email addresses from user profiles, posts, comments, and professional networking sites like LinkedIn.
Automated enumeration tools and manual searches are often combined for better accuracy.
WHOIS and DNS Records:
Attackers query WHOIS databases and DNS records to locate administrative or technical contact email addresses related to domain registrations.
Tools such as Dig, Nslookup, Whois command-line utilities, and online WHOIS lookup services are commonly used.
Email Harvesting from Documents and Files:
Attackers analyze publicly accessible documents (PDFs, DOCX files, presentations) available through search engines or organization websites to extract embedded email addresses.
Tools such as FOCA and Metagoofil are frequently employed for metadata extraction from documents.
Dark Web and Underground Forums:
Attackers may purchase or trade email address collections from underground marketplaces or forums, especially when targeting specific industries or organizations.
When this Technique is Usually Used
Attackers typically employ this sub-technique during the initial reconnaissance phase of their cyber operations. Common scenarios and stages include:
Initial Reconnaissance:
Adversaries gather email addresses to build a target list for phishing or spear-phishing campaigns.
Useful in identifying key personnel, executives, IT administrators, and other high-value targets.
Targeting and Delivery Stages:
Email addresses enable attackers to deliver malware payloads, malicious links, or credential harvesting pages directly to specific individuals, increasing the chance of successful exploitation.
Social Engineering Campaigns:
Collected email addresses are essential for crafting personalized social engineering attacks, increasing their credibility and effectiveness.
Credential Harvesting Attacks:
Attackers use email addresses as usernames or identifiers in credential-stuffing attacks, brute-force attempts, or password spraying campaigns.
Business Email Compromise (BEC):
Attackers use harvested email addresses to impersonate executives, suppliers, or trusted entities to conduct financial fraud or information theft.
How this Technique is Usually Detected
Organizations can detect and mitigate this sub-technique using various detection methods, tools, and indicators of compromise (IoCs):
Monitoring Web and Network Traffic:
Detect automated web-crawling or scraping activities through anomaly detection and rate-limiting rules.
Implement Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) to identify suspicious scraping patterns.
Honeypot Email Addresses:
Deploy unique, non-public "honeypot" email addresses to detect unauthorized scraping or leakage.
Monitor these email addresses for incoming phishing or spam emails as indicators of compromise.
Dark Web and Threat Intelligence Monitoring:
Use threat intelligence platforms and services to detect leaked or compromised email addresses associated with the organization.
Regularly monitor underground forums and marketplaces for email address dumps or sales listings.
Email Gateway Security Solutions:
Implement email security solutions (e.g., Proofpoint, Mimecast, Cisco Email Security) to identify and block phishing or malicious emails sent to harvested email addresses.
Configure alerts for unusual email patterns or targeted phishing attempts.
Behavioral Analytics and SIEM Solutions:
Use Security Information and Event Management (SIEM) solutions to detect anomalous email traffic, phishing attempts, or brute-force login attempts.
Identify patterns of failed authentication attempts using harvested email addresses.
Indicators of Compromise (IoCs):
Sudden increase in targeted phishing emails.
Identification of email addresses appearing in breach databases or dark web forums.
Unusual login attempts or password reset requests for known email addresses.
Why it is Important to Detect This Technique
Early detection of email address harvesting is critical for organizations due to multiple potential impacts:
Prevention of Phishing and Spear-phishing Attacks:
Early detection helps reduce the success rate of targeted phishing campaigns, protecting sensitive information and credentials.
Reduction of Credential Theft and Unauthorized Access:
Preventing attackers from successfully using harvested email addresses to compromise user accounts and gain unauthorized access to systems.
Mitigation of Business Email Compromise (BEC) Attacks:
Early detection reduces the risk of financial losses and reputation damage caused by sophisticated email-based fraud schemes.
Protection of Organizational Reputation:
Timely identification and response to email harvesting activities prevent attackers from using organizational identities in malicious campaigns, maintaining trust among customers and partners.
Compliance and Regulatory Requirements:
Detection and prevention of email address harvesting help organizations comply with data protection regulations (e.g., GDPR) and avoid fines or legal consequences.
Reduced Attack Surface:
By identifying harvested email addresses early, organizations can proactively strengthen security controls, provide targeted security training, and implement additional authentication measures.
Examples
Real-world examples of email address harvesting highlight attackers' methodologies, tools, and impacts:
Operation Aurora (2010):
Attackers used targeted spear-phishing emails sent to harvested email addresses to compromise Google employees and other high-profile organizations.
Resulted in theft of intellectual property and sensitive data.
LinkedIn Data Scraping Incident (2021):
Attackers scraped email addresses and personal information from approximately 500 million LinkedIn profiles.
The leaked email addresses were subsequently used in widespread phishing and credential-stuffing attacks.
Collection #1 Data Breach (2019):
Attackers compiled over 770 million email addresses from various data breaches and leaks.
The dataset was widely distributed on underground forums, significantly increasing phishing attacks globally.
FIN7 Cybercrime Group Operations:
FIN7 routinely harvested email addresses from corporate websites, social media, and publicly available resources to conduct targeted phishing campaigns against financial institutions, retail companies, and hospitality industries.
Resulted in significant financial losses and data breaches.
APT28 (Fancy Bear) Operations:
APT28 leveraged email addresses collected from social media, official websites, and leaked databases to send highly targeted spear-phishing emails to government officials, military personnel, and diplomatic entities.
Enabled espionage campaigns and theft of sensitive political and military information.
Last updated
Was this helpful?