Compromise Accounts: Email Accounts

ID Name
T1586.001 Social Media Accounts
T1586.002 Email Accounts

Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).

A variety of methods exist for compromising email accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).[1] Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Adversaries can use a compromised email account to hijack existing email threads with targets of interest.

ID: T1586.002
Sub-technique of:  T1586
Platforms: PRE
Version: 1.0
Created: 01 October 2020
Last Modified: 15 April 2021

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used compromised email accounts to send credential phishing emails.[2]

G0016 APT29

APT29 has compromised email accounts to further enable phishing campaigns.[3]

G0136 IndigoZebra

IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.[4]

G0094 Kimsuky

Kimsuky has compromised email accounts to send spearphishing e-mails.[5][6]

G0065 Leviathan

Leviathan has compromised email accounts to conduct social engineering attacks.[7]

G0059 Magic Hound

Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.[8]


ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).