1. Home
  2. Techniques
  3. Enterprise
  4. Compromise Accounts
  5. Email Accounts

Compromise Accounts: Email Accounts

ID Name
T1586.001 Social Media Accounts
T1586.002 Email Accounts
T1586.003 Cloud Accounts

Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information, Phishing, or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).

A variety of methods exist for compromising email accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.[1][2] Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or Phishing emails may evade reputation-based email filtering rules.

Adversaries can use a compromised email account to hijack existing email threads with targets of interest.

ID: T1586.002
Sub-technique of:  T1586
Tactic: Resource Development
Platforms: PRE
Contributors: Bryan Onel; Tristan Bennett, Seamless Intelligence
Version: 1.1
Created: 01 October 2020
Last Modified: 11 April 2023
Version Permalink

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used compromised email accounts to send credential phishing emails.[3]
G0016 APT29

APT29 has compromised email accounts to further enable phishing campaigns and taken control of dormant accounts.[4][5]
G1001 HEXANE

HEXANE has used compromised accounts to send spearphishing emails.[6]
G0136 IndigoZebra

IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.[7]
G0094 Kimsuky

Kimsuky has compromised email accounts to send spearphishing e-mails.[8][9]
G1004 LAPSUS$

LAPSUS$ has payed employees, suppliers, and business partners of target organizations for credentials.[10][11]
G0065 Leviathan

Leviathan has compromised email accounts to conduct social engineering attacks.[12]
G0059 Magic Hound

Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.[13]
G1033 Star Blizzard

Star Blizzard has used compromised email accounts to conduct spearphishing against contacts of the original victim.[14]
G1037 TA577

TA577 has sent thread hijacked messages from compromised emails.[15]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

References

  1. Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.
  2. Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.
  3. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  4. ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022.
  5. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  6. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  7. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  8. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  1. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  2. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  3. Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.
  4. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  5. Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.
  6. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
  7. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.