Establish Accounts: Email Accounts

Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing.[1] Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains).[1]

To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.[2]

ID: T1585.002
Sub-technique of:  T1585
Platforms: PRE
Version: 1.0
Created: 01 October 2020
Last Modified: 15 April 2021

Procedure Examples

ID Name Description
G0006 APT1

APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.[1]

G1011 EXOTIC LILY

EXOTIC LILY has created e-mail accounts to spoof targeted organizations.[3]

C0007 FunnyDream

For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign.[4]

G1001 HEXANE

HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.[5]

G0119 Indrik Spider

Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.[6]

G0094 Kimsuky

Kimsuky has created email accounts for phishing operations.[7]

G0032 Lazarus Group

Lazarus Group has created new email accounts for spearphishing operations.[8]

G0065 Leviathan

Leviathan has created new email accounts for targeting efforts.[9]

G0059 Magic Hound

Magic Hound has established email accounts using fake personas for spearphishing operations.[10][11]

G0129 Mustang Panda

Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[12]

C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.[13]

C0016 Operation Dust Storm

For Operation Dust Storm, the threat actors established email addresses to register domains for their operations.[14]

C0006 Operation Honeybee

During Operation Honeybee, attackers created email addresses to register for a free account for a control server used for the implants.[15]

C0014 Operation Wocao

For Operation Wocao, the threat actors registered email accounts to use during the campaign.[16]

G0034 Sandworm Team

Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.[17]

G0122 Silent Librarian

Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.[18]

G0102 Wizard Spider

Wizard Spider has leveraged ProtonMail email addresses in ransom notes when delivering Ryuk ransomware.[19]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

References