Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0814: Detection of Email Addresses

DET0814 is a detection strategy object for identifying activity related to adversary collection of email addresses during reconnaissance. The ATT&CK object...

EnterpriseDET0814Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0814 is a detection strategy object for identifying activity related to adversary collection of email addresses during reconnaissance. The ATT&CK object itself does not provide detection logic, platforms, or telemetry requirements, but its relationship to T1589.002 makes the business issue clear: exposed employee or organizational email addresses can become targeting material for later phishing, credential attacks, or other social-engineering activity. For leaders, the practical value is to treat email-address exposure as an upstream risk signal, not as proof of compromise.

Executive priority

Prioritize this as a reconnaissance and exposure-management question: which employee, executive, shared mailbox, and business-function email addresses are publicly discoverable, and does the organization have evidence that security teams can monitor and respond when those addresses become part of suspicious targeting patterns? This supports identity risk reduction, security awareness prioritization, incident readiness, and compliance evidence around monitoring and protection of organizational information. Because the object has no official detection guidance, it should not be treated as a complete detection control without local validation.

Technical view

SOC, detection engineering, and IR teams should use the related technique context, T1589.002 Email Addresses under reconnaissance on PRE, to validate whether they can observe and correlate public email exposure with downstream suspicious activity. Since DET0814 provides no official detection text or platform scope, teams should avoid assuming coverage from this object alone. Useful validation should focus on whether external exposure inventories, email security logs, identity events, and incident case data can connect known exposed addresses to later suspicious inbound messages, authentication attempts, or user-targeting patterns.

Likely telemetry

  • External exposure or attack-surface inventories showing publicly discoverable organizational email addresses
  • Email security gateway or mail platform metadata for inbound messages to exposed addresses
  • Identity and authentication logs associated with exposed accounts
  • Security awareness or phishing-reporting records tied to targeted addresses
  • SOC case management or incident records linking exposed addresses to suspicious activity

Detection direction

  • Confirm whether the organization maintains an inventory of public-facing email addresses, including executives, shared mailboxes, aliases, and role-based accounts.
  • Correlate exposed addresses with suspicious inbound email, authentication anomalies, or repeated targeting rather than treating the mere presence of an email address as malicious.
  • Tune for business context: public contact addresses and marketing or support aliases are expected to be exposed, while newly exposed executive, privileged, or sensitive-function addresses may warrant higher priority.
  • Document blind spots caused by absent external exposure monitoring, incomplete mailbox logging, unmanaged aliases, or lack of correlation between email and identity telemetry.
  • Use this detection strategy as a coverage-mapping prompt for T1589.002, not as deployable detection logic, because ATT&CK provides no official detection procedure for DET0814.

Mitigation priorities

  • Maintain an accurate inventory of public and externally discoverable organizational email addresses.
  • Reduce unnecessary exposure of sensitive individual, executive, privileged, or operational email addresses where business requirements allow.
  • Apply stronger identity protections and monitoring to accounts whose addresses are publicly exposed or frequently targeted.
  • Ensure email security, identity monitoring, user reporting, and incident-response workflows can share context about targeted addresses.
  • Use exposure findings to prioritize awareness, phishing simulations, executive protection, and response playbooks without assuming exposure alone indicates compromise.
Analyst notes and limits

The supplied ATT&CK object is sparse: no official description, detection text, platforms, tactics, or labels are provided for DET0814. The only substantive context is the relationship to T1589.002 Email Addresses, a reconnaissance technique describing adversary gathering of email addresses from public or accessible sources. This take therefore frames DET0814 as a defensive validation and exposure-management prompt rather than a concrete analytic.

This assessment is limited to the supplied STIX fields, external reference, and the relationship to T1589.002. It does not establish active exploitation, adversary attribution, affected platforms, or guaranteed detection coverage. Local telemetry, public exposure data, and business context are required to determine materiality and control effectiveness.

Official MITRE ATT&CK definition

Detection of Email Addresses

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1589.002 Email Addresses Sub-technique This object detects Email Addresses.
Relationship explorer

All related ATT&CK context

detects · Technique T1589.002: Email Addresses Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
89270921b446dd80...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 89270921b446…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0814
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use