T1585.002: Email Accounts

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

T1585.002: Email Accounts

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1585.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

T1585.002

Platforms

PRE

Description

Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1) To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

Mandiant APT1
Trend Micro R980 2016
Free Trial PurpleUrchin
mitre-attack (T1585.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (31)

Smishing Triad uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview uses Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CURIUM uses Crimson SandstormTA456

The MITRE Corporation Confidence 100

[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HEXANE uses LyceumSiamesekitten

The MITRE Corporation Confidence 100

[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Moonstone Sleet uses Storm-1789

The MITRE Corporation Confidence 100

[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032),…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SideCopy uses

The MITRE Corporation Confidence 100

[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6229 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Leviathan uses MUDCARPKryptonite Panda

The MITRE Corporation Confidence 100

[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT42 uses

The MITRE Corporation Confidence 100

[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted…

First seen 01/01/1970 · Last seen 16/11/5138 ·
EXOTIC LILY uses

The MITRE Corporation Confidence 100

[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wang Duo Yu uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 31

DCHSpy uses

Family
NetBird uses

Family
NanHaiShu - S0228 uses
Keitaro uses

Family
China Chopper - S0020 uses

Family
Noodlophile Stealer uses

Family
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CurlBack RAT uses

Family
InvisibleFerret uses

Family
RustDoor uses

Family
YTStealer uses

Family
DarkCloud uses

Family

← Previous

Page / 4

1–12 of 42

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
330 custom email domains, and what this tells … related

7 MITREs 200 Observables
SecuritySnack: 18+E-Crime related

5 MITREs 140 Observables
Vietnam-Nexus Hackers Distribute Malware Via Fake AI Video … related

6 MITREs 5 Malwares 1 Observable 1 APT
Uncovering Actor TTP Patterns and the Role of … related

9 MITREs 87 Observables
Unraveling the U.S. toll road smishing scams related

1 CVE 4 MITREs 43 Observables 1 APT
Smishing Triad: Chinese eCrime Group Targets 121+ Countries, … related

4 MITREs 93 Observables 1 APT
Goodbye HTA, Hello MSI: New TTPs and Clusters … related

9 MITREs 3 Malwares 28 Observables 1 APT
Russian Influence Operations Target German Elections related

19 MITREs
InvisibleFerret Malware: Technical Analysis related

14 MITREs 5 Malwares 4 Observables 1 APT
Hunting Payroll Pirates: Tracking HR Redirect Phishing Scam related

8 MITREs 69 Observables 1 APT
Telekopye transitions to targeting tourists via hotel booking … related

9 MITREs 1 Malware 1 APT

← Previous

Page / 2

1–12 of 13

Vulnerabilities (CVE) (4)

CVE-2025-20362 KEV targets

6.5 Medium

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2025-4609 targets

9.6 Critical

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially …

Attack vector: NETWORK
Published: 22/08/2025
Modified: 21/12/2025

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2024-4577 KEV targets

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

Attack patterns (MITRE) (1)

T1585 subtechnique-of

Establish Accounts MITRE

Campaign (8)

Salesforce Data Exfiltration uses
Operation Wocao uses
Operation Dream Job uses
Operation Honeybee uses
Operation Dust Storm uses
Operation AkaiRyū uses
FunnyDream uses
SharePoint ToolShell Exploitation uses

Course Of Action (1)

Pre-compromise mitigates

Contact About Legal notice Privacy policy Terms of use