DET0229 Enumeration of Global Address Lists via Email Account Discovery

Item	Value
ID	DET0229
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1087.003 (Email Account)

Analytics

Windows

AN0641

Enumeration of global address lists or email account metadata via PowerShell cmdlets (e.g., Get-GlobalAddressList) or MAPI/RPC from non-admin, non-mailserver systems.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
CommandLinePattern	Match variations of Get-GlobalAddressList, Get-Recipient, and related cmdlets.
HostRole	Suppress expected usage on Exchange servers or known IT admin consoles.
TimeWindow	Detect bulk execution patterns in short intervals, often used during recon.

Office Suite

AN0642

Suspicious querying of organization-wide directory data via Google Workspace Directory API or Outlook GAL sync in high volume from abnormal users, service accounts, or unknown device contexts.

Log Sources

Data Component	Name	Channel
User Account Metadata (DC0013)	gcp:audit	Directory API Access: users.list or groups.list
Application Log Content (DC0038)	m365:unified	GAL Lookup or Address Book download
User Account Authentication (DC0002)	azure:signinlogs	Unusual Token Usage or Application Consent

Mutable Elements

Field	Description
APIQueryVolume	Set thresholds for excessive use of ‘users.list’ or recursive group enumerations.
UserContext	Flag non-admin or previously unseen user agents requesting directory information.
AppSource	Distinguish between sanctioned sync tools and unauthorized scripts or OAuth tokens.