Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0229: Enumeration of Global Address Lists via Email Account Discovery

This detection strategy is about recognizing when an authenticated user or process is enumerating email accounts through global address lists. For leaders,...

EnterpriseDET0229Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about recognizing when an authenticated user or process is enumerating email accounts through global address lists. For leaders, the risk is not the address list alone; it is that reliable email-account inventory can support follow-on phishing, impersonation, account targeting, and incident expansion. Because the ATT&CK detection object itself has no official description or detection logic, its practical value comes from its relationship to Email Account discovery (T1087.003).

Executive priority

Treat this as an identity and email-security visibility question: can the organization prove who accessed or enumerated address-list data, from where, and under what account context? This matters for incident scoping, audit evidence, and prioritizing monitoring around Exchange, Exchange Online, and Office Suite environments where email-account discovery is relevant. Leadership should ask whether SOC and IR teams can distinguish normal administrative address-list activity from unusual authenticated enumeration.

Technical view

The supplied relationship states this strategy detects T1087.003, Email Account, under Discovery, with related platforms Windows and Office Suite. Detection engineering should focus on authenticated email or Exchange activity that obtains large or unusual listings of email addresses or accounts, including address-list access and relevant PowerShell activity where logged. Validate collection before writing analytics: the detection strategy object provides no official detection text, so local log sources, audit settings, and baselines are decisive.

Likely telemetry

  • Exchange or Exchange Online audit logs for address-list access and administrative activity
  • Identity provider sign-in and session records for authenticated email access
  • PowerShell or administrative command logging where Exchange management activity is captured
  • Mailbox, directory, or Office Suite audit events showing account or address-list enumeration
  • User, admin, and service-account context including source IP, device, time, and volume of queried objects

Detection direction

  • Baseline legitimate address-list and email-account discovery by administrators, help desk staff, synchronization processes, and approved service accounts.
  • Look for unusual volume, frequency, timing, source location, or account context around address-list enumeration.
  • Correlate enumeration activity with recent authentication anomalies, new sessions, privilege changes, or suspicious mailbox access when available.
  • Tune carefully for false positives from normal Exchange administration and directory synchronization workflows.
  • Document gaps where audit logging, PowerShell logging, or cloud email audit retention is not enabled or not retained long enough for IR scoping.

Mitigation priorities

  • Confirm logging and retention for Exchange, Exchange Online, identity, and administrative activity before relying on this detection strategy.
  • Apply least-privilege access to email and directory administration so broad enumeration is limited to accounts with a business need.
  • Review privileged, help desk, and service-account usage patterns for address-list access and document approved behavior.
  • Use identity controls such as strong authentication and session governance for accounts that can access broad email-account data.
  • Include address-list enumeration evidence in incident response playbooks for phishing, account compromise, and email-system investigations.
Analyst notes and limits

The strongest use of this ATT&CK object is as a coverage validation item: determine whether the SOC can observe authenticated global address list or email-account enumeration and tie it back to a user, device, session, and business justification. The related technique provides the operational context; the detection strategy itself does not supply analytics, data components, or platform details.

The official detection strategy has no supplied description, detection text, tactics, or platforms. Platform and behavior context are inferred only from the stated relationship to T1087.003 Email Account, which lists Discovery and Windows/Office Suite and describes Exchange address list enumeration using authenticated sessions. Local environment evidence is required to decide feasibility, fidelity, and control priority.

Official MITRE ATT&CK definition

Enumeration of Global Address Lists via Email Account Discovery

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1087.003 Email Account Sub-technique This object detects Email Account.
Relationship explorer

All related ATT&CK context

detects · Technique T1087.003: Email Account Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
462e8ec300d714a7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 462e8ec300d7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0229
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use