T1589.002 · reconnaissance · 15 actors · 7 correlated reports

Email Addresses

Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Email addresses could also be enumerated via more active means (i.e. Active Scanning), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system. For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Email Accounts), and/or initial access (ex: Phishing or Brute Force via External Remote Services).

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Monitor for suspicious network traffic that could be indicative of probing for email addresses and/or usernames, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Observed actors

Kimsuky
G0094 EXOTIC LILY
G1011 Volt Typhoon
G1017 APT32
G0050 HAFNIUM
G0125 MuddyWater
G0069 Sandworm Team
G0034 Saint Bear
G1031 Silent Librarian
G0122 TA551
G0127 Lazarus Group
G0032 LAPSUS$
G1004 Moonstone Sleet
G1036 HEXANE
G1001 Magic Hound
G0059

Correlated CTI and IR reports

APT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mention Attack Playbook — Operation DragonRx
1200km CTI repository · explicit report mention Operation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mention Operation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mention APT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mention Attack Playbook Operation DragonRx
1200km Medium · authored report mention Operation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research