Email Accounts (T1585.002)

Information

• Name: Email Accounts

• ID: T1585.002

• Tactics:

• Technique:

Introduction

Email Accounts () is a sub-technique within the MITRE ATT&CK framework under the broader category of "Establish Accounts" (T1585). This technique involves adversaries creating, compromising, or otherwise utilizing email accounts to facilitate malicious activities. Attackers commonly leverage email accounts to establish persistence, communicate covertly, distribute malware, conduct phishing campaigns, or exfiltrate sensitive information. The ability to control email accounts grants adversaries a versatile platform for command-and-control (C2) operations and lateral movement within compromised environments.

Deep Dive Into Technique

Adversaries utilize email accounts in various ways, including:

• Creating New Email Accounts: Attackers may register new email accounts through legitimate email providers (such as Gmail, Outlook, ProtonMail, Yahoo) using fake or stolen identities to avoid attribution and detection.

• Compromising Existing Email Accounts: Adversaries often gain unauthorized access to legitimate email accounts through credential theft, brute-force attacks, phishing, or leveraging credential dumps available from prior breaches.

• Email Forwarding and Rules Manipulation: Attackers may set up forwarding rules or mailbox rules in compromised email accounts to silently redirect emails to external attacker-controlled inboxes, enabling persistent access and data exfiltration.

• Email as Command-and-Control (C2): Email accounts may serve as covert communication channels for malware. Attackers embed commands or exfiltrate data through email messages, attachments, or drafts, making detection more difficult.

• Email-based Phishing and Social Engineering: Email accounts are frequently used to launch phishing campaigns targeting specific individuals or organizations, distributing malicious attachments or links to malware-infected websites.

Technical mechanisms and methods include:

• SMTP/IMAP/POP3 Protocol Abuse: Attackers exploit standard email protocols to send, receive, or manage malicious communications.

• OAuth Abuse: Attackers may abuse OAuth permissions granted to malicious third-party applications or services, gaining persistent access to email accounts without the need for ongoing credential reuse.

• Automation and Scripting: Automated scripts and bots are employed to manage multiple email accounts simultaneously, facilitating large-scale phishing campaigns or spam distribution.

When this Technique is Usually Used

Adversaries typically employ email accounts across numerous stages of the cyberattack lifecycle, including:

• Initial Access Stage:

  • Sending phishing emails containing malicious attachments or links.

  • Performing social engineering attacks targeting specific users or organizations.

• Persistence and Command-and-Control Stage:

  • Establishing persistent backdoor communication channels through email accounts.

  • Leveraging email inboxes or drafts as covert storage for C2 instructions or exfiltrated data.

• Exfiltration Stage:

  • Exfiltrating sensitive data covertly via email attachments or embedded content.

• Reconnaissance and Lateral Movement:

  • Using compromised email accounts to gather intelligence on internal organizational structures, communication patterns, and sensitive information.

  • Sending internal phishing emails from trusted accounts to escalate privileges or move laterally within the organization.

Attack scenarios include targeted attacks (APT campaigns), financially motivated cybercrime operations (e.g., Business Email Compromise—BEC), and espionage-related activities.

How this Technique is Usually Detected

Detection methods and indicators of compromise (IoCs) include:

• Monitoring Email Account Creation:

  • Detect anomalous patterns of new email account creation, particularly from suspicious IP addresses or using disposable email domains.

• Login and Authentication Anomalies:

  • Identify logins from unusual geographic locations, IP addresses, or devices not previously associated with the account.

  • Detect brute-force login attempts or credential stuffing attacks via SIEM logs.

• Email Forwarding and Rule Changes:

  • Monitor email account configuration changes, such as forwarding rules or mailbox rules, particularly those redirecting emails externally.

• Behavioral Analytics and Anomaly Detection:

  • Utilize machine learning-based behavioral analytics tools to detect unusual email sending patterns, spikes in outbound traffic, or abnormal attachment usage.

• Network Traffic Analysis:

  • Inspect SMTP, IMAP, POP3, and webmail traffic for anomalous communication patterns indicative of C2 or data exfiltration.

• Endpoint Detection and Response (EDR) Tools:

  • Detect suspicious processes or scripts interacting with email clients or performing automated email operations.

• IoCs and Threat Intelligence Feeds:

  • Correlate known malicious email addresses, domains, IP addresses, and email-related indicators from threat intelligence sources.

Why it is Important to Detect This Technique

Early detection of malicious email account usage is critical due to significant potential impacts:

• Data Breaches and Sensitive Data Exfiltration:

  • Undetected email account compromise can result in large-scale data breaches, intellectual property theft, or exposure of confidential information.

• Financial Losses:

  • Business Email Compromise (BEC) attacks leveraging compromised email accounts often result in direct financial losses, fraudulent transactions, or theft of funds.

• Reputation Damage:

  • Organizations experiencing email-related cyber incidents face severe reputational damage, loss of customer trust, and potential regulatory penalties.

• Operational Disruption:

  • Persistent attacker access via email accounts can disrupt internal communications, degrade productivity, and lead to prolonged operational downtime.

• Facilitation of Further Attacks:

  • Compromised email accounts may be leveraged as pivot points for lateral movement, privilege escalation, or launching additional cyberattacks against internal or external targets.

Prompt detection and remediation limit adversary dwell time, reduce the overall attack impact, and enhance organizational resilience.

Examples

Real-world examples illustrating the use of malicious email accounts include:

• APT29 (Cozy Bear) Campaigns:

  • Utilized spear-phishing emails with malicious links sent from compromised or attacker-created email accounts to gain initial access and establish persistence within targeted organizations.

  • Leveraged email inboxes to store C2 instructions and exfiltrate sensitive documents covertly.

• FIN7 Cybercrime Group:

  • Launched large-scale phishing campaigns through attacker-controlled email accounts, distributing malware-laden attachments designed to infiltrate financial institutions and retail organizations.

• Operation Cloud Hopper (APT10):

  • Compromised email accounts of Managed Service Providers (MSPs) to gain persistent access, perform lateral movement, and exfiltrate sensitive customer data.

• Iranian Threat Actor APT35 (Charming Kitten):

  • Conducted credential harvesting and phishing campaigns through attacker-created email accounts targeting journalists, activists, and government officials.

• Business Email Compromise (BEC) Attacks:

  • Cybercriminals frequently compromise legitimate executive email accounts to fraudulently request wire transfers, leading to significant financial losses for victim organizations.

These examples demonstrate how email accounts are central to various sophisticated cyberattack scenarios, highlighting the importance of proactive detection and mitigation strategies.