Gather Victim Identity Information: Email Addresses (T1589.002)

Tactic: Reconnaissance · Platforms: PRE

The interactive view maps 1 detection strategy, 1 mitigation, 14 threat groups, 1 software entry, 2 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Gather Victim Identity Information (T1589).

Overview

Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.

Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Email addresses could also be enumerated via more active means (i.e. Active Scanning), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system. For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Email Accounts), and/or initial access (ex: Phishing or Brute Force via External Remote Services).

Explore