DET0861: Detection of Email Accounts
This detection strategy is tied to adversary use of compromised email accounts during resource development. For leaders, the practical issue is trust abuse...
Analyst context for executives and security teams
This detection strategy is tied to adversary use of compromised email accounts during resource development. For leaders, the practical issue is trust abuse before or during an intrusion: a real mailbox or established persona can make phishing, information-gathering, or spam activity harder for users and controls to distinguish from normal communication.
Executive priority
Prioritize this as an identity, email security, and incident readiness question rather than only a mail-filtering issue. Executives should ask whether the organization can recognize when trusted or previously legitimate email accounts are being used to support targeting, whether response teams can contain suspicious mailbox-driven activity quickly, and whether audit evidence exists for monitoring and handling email-account compromise scenarios.
Technical view
The ATT&CK object provides no official detection logic, platforms, or tactics for DET0861, so teams should validate coverage from the related technique context: T1586.002, Email Accounts, under resource development on PRE. SOC and detection engineering should focus on evidence that can show compromised or suspicious email-account use connected to targeting activity, especially phishing, phishing for information, or large-scale unsolicited email activity. Incident responders should confirm playbooks cover investigation of trusted-sender abuse and compromised mailbox indicators without assuming the account belongs to the protected environment.
Likely telemetry
- Email security gateway or mail filtering events
- Mailbox authentication and access logs where available
- Identity provider sign-in and session logs for email accounts under organizational control
- Message headers, sender reputation, forwarding, and routing metadata
- User reports of suspicious messages from known or trusted senders
Detection direction
- Map existing detections to the related ATT&CK technique T1586.002 rather than to DET0861 alone, because this detection strategy has no official detection text.
- Validate whether alerts can distinguish suspicious use of trusted or previously legitimate email accounts from routine business communication.
- Tune for context: false positives may arise from marketing campaigns, third-party senders, compromised external contacts, or unusual but legitimate travel and access patterns.
- Check blind spots around external compromised accounts, because the related technique describes adversaries using compromised email accounts during targeting, not necessarily accounts owned by the defending organization.
- Correlate email telemetry with identity and incident case data where available to support triage and containment decisions.
Mitigation priorities
- Strengthen identity controls for organizational email accounts, including access governance and rapid containment processes.
- Maintain phishing reporting and triage workflows that account for messages from trusted or known senders.
- Ensure email security, identity, SOC, and incident response teams share evidence needed to investigate suspected mailbox abuse.
- Document monitoring and response procedures as compliance and readiness evidence, especially where email compromise could affect business operations or regulated communications.
- Review third-party and partner communication risk assumptions, since compromised external email accounts may still create material targeting risk.
Analyst notes and limits
DET0861 is a detection strategy object with no official description or detection content supplied. The useful defensive context comes from its relationship to T1586.002, Email Accounts. Treat this as a prompt to validate email-account compromise visibility and response readiness, not as a complete ATT&CK-provided analytic.
Platforms and tactics are not specified on the detection strategy itself, and no official detection guidance is provided. Any concrete analytic logic, thresholds, vendor mappings, or coverage claims require local telemetry, environment architecture, and control evidence.
Detection of Email Accounts
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1586.002 | Email Accounts Sub-technique | This object detects Email Accounts. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1537e2fba3b1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0861Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.