T1585.002 Email Accounts
Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing.1 Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains).1
To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.2
| Item | Value |
|---|---|
| ID | T1585.002 |
| Sub-techniques | T1585.001, T1585.002, T1585.003 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.0 |
| Created | 01 October 2020 |
| Last Modified | 15 April 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0006 | APT1 | APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.1 |
| G1011 | EXOTIC LILY | EXOTIC LILY has created e-mail accounts to spoof targeted organizations.11 |
| C0007 | FunnyDream | For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign.17 |
| G1001 | HEXANE | HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.10 |
| G0094 | Kimsuky | Kimsuky has created email accounts for phishing operations.7 |
| G0032 | Lazarus Group | Lazarus Group has created new email accounts for spearphishing operations.8 |
| G0065 | Leviathan | Leviathan has created new email accounts for targeting efforts.6 |
| G0059 | Magic Hound | Magic Hound has established email accounts using fake personas for spearphishing operations.43 |
| G0129 | Mustang Panda | Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.12 |
| C0022 | Operation Dream Job | During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.14 |
| C0016 | Operation Dust Storm | For Operation Dust Storm, the threat actors established email addresses to register domains for their operations.16 |
| C0006 | Operation Honeybee | During Operation Honeybee, attackers created email addresses to register for a free account for a control server used for the implants.15 |
| C0014 | Operation Wocao | For Operation Wocao, the threat actors registered email accounts to use during the campaign.13 |
| G0034 | Sandworm Team | Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.9 |
| G0122 | Silent Librarian | Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
References
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩↩↩
-
Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware Found Abusing Disposable Email Address Service. Retrieved October 13, 2020. ↩
-
Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021. ↩
-
Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021. ↩
-
DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. ↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩
-
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. ↩
-
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. ↩
-
Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. ↩
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩