T1585.002 · resource-development · 15 actors · 2 correlated reports

Email Accounts

Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to Acquire Infrastructure for follow-on purposes. Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains). To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

Observed actors

Indrik Spider
G0119 Kimsuky
G0094 EXOTIC LILY
G1011 Sandworm Team
G0034 CURIUM
G1012 Mustang Panda
G0129 APT1
G0006 Leviathan
G0065 Silent Librarian
G0122 Star Blizzard
G1033 Lazarus Group
G0032 Wizard Spider
G0102 Moonstone Sleet
G1036 HEXANE
G1001 Magic Hound
G0059

Correlated CTI and IR reports

ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mention ATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research