1. Home
  2. Techniques
  3. Enterprise
  4. Establish Accounts
  5. Email Accounts

Establish Accounts: Email Accounts

ID Name
T1585.001 Social Media Accounts
T1585.002 Email Accounts
T1585.003 Cloud Accounts

Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing.[1] Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to Acquire Infrastructure for follow-on purposes.[2]

Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains).[1]

To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.[3]

ID: T1585.002
Sub-technique of:  T1585
Tactic: Resource Development
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0006 APT1

APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.[1]
G1044 APT42

APT42 has created email accounts to use in spearphishing operations.[4]
G1052 Contagious Interview

Contagious Interview has created fake email accounts to correspond with social media accounts, fake LinkedIn personas, code repository accounts, and job announcements on development job board services.[5][6][7][8][9][10] Contagious Interview has also utilized fake email accounts with Threat Intelligence vendor services.[5]
G1012 CURIUM

CURIUM has created dedicated email accounts for use with tools such as IMAPLoader.[11]
G1011 EXOTIC LILY

EXOTIC LILY has created e-mail accounts to spoof targeted organizations.[12]
C0007 FunnyDream

For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign.[13]
G1001 HEXANE

HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.[14]
G0119 Indrik Spider

Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.[15]
G0094 Kimsuky

Kimsuky has created email accounts for phishing operations.[16][17][18]
G0032 Lazarus Group

Lazarus Group has created new email accounts for spearphishing operations.[19]
G0065 Leviathan

Leviathan has created new email accounts for targeting efforts.[20]
G0059 Magic Hound

Magic Hound has established email accounts using fake personas for spearphishing operations.[21][22]
G1051 Medusa Group

Medusa Group has created email accounts used in ransomware negotiations.[23]
G1036 Moonstone Sleet

Moonstone Sleet has created email accounts to interact with victims, including for phishing purposes.[24]
G0129 Mustang Panda

Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[25] Mustang Panda has also created fake Google accounts to distribute malware via spear-phishing emails.[26] Mustang Panda has also created accounts for spearphishing operations including the use of services such as Proton Mail.[27][28]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.[29]
C0016 Operation Dust Storm

For Operation Dust Storm, the threat actors established email addresses to register domains for their operations.[30]
C0006 Operation Honeybee

During Operation Honeybee, attackers created email addresses to register for a free account for a control server used for the implants.[31]

C0014 Operation Wocao

For Operation Wocao, the threat actors registered email accounts to use during the campaign.[32]
C0059 Salesforce Data Exfiltration

During Salesforce Data Exfiltration, threat actors registered emails shinycorp@tuta[.]com and shinygroup@tuta[.]com to send victims extortion demands.[33]
G0034 Sandworm Team

Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.[34]
C0058 SharePoint ToolShell Exploitation

During SharePoint ToolShell Exploitation, threat actors created Proton mail accounts for communication with organizations infected with ransomware.[35]
G0122 Silent Librarian

Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.[36]
G1033 Star Blizzard

Star Blizzard has registered impersonation email accounts to spoof experts in a particular field or individuals and organizations affiliated with the intended target.[37][38][39]
G0102 Wizard Spider

Wizard Spider has leveraged ProtonMail email addresses in ransom notes when delivering Ryuk ransomware.[40]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0835 Detection of Email Accounts AN1967

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.
  3. Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware Found Abusing Disposable Email Address Service. Retrieved October 13, 2020.
  4. Google Threat Analysis Group. (2024, August 14). Iranian backed group steps up phishing campaigns against Israel, U.S.. Retrieved October 9, 2024.
  5. Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025.
  6. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
  7. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
  8. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  9. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
  10. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.
  11. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  12. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  13. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  14. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  15. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  16. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  17. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  18. Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
  19. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  20. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  1. Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.
  2. Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.
  3. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
  4. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  5. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  6. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.
  7. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.
  8. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  9. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  10. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  11. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  12. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  13. Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025.
  14. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  15. Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025.
  16. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.
  17. Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024.
  18. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
  19. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  20. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.