MITRE ATT&CK Technique
Description
Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)). A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules. Adversaries can use a compromised email account to hijack existing email threads with targets of interest.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T01:20:53.104Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may compromise email accounts that can be used '
'during targeting. Adversaries can use compromised email '
'accounts to further their operations, such as leveraging them '
'to conduct [Phishing for '
'Information](https://attack.mitre.org/techniques/T1598), '
'[Phishing](https://attack.mitre.org/techniques/T1566), or '
'large-scale spam email campaigns. Utilizing an existing '
'persona with a compromised email account may engender a level '
'of trust in a potential victim if they have a relationship '
'with, or knowledge of, the compromised persona. Compromised '
'email accounts can also be used in the acquisition of '
'infrastructure (ex: '
'[Domains](https://attack.mitre.org/techniques/T1583/001)).\n'
'\n'
'A variety of methods exist for compromising email accounts, '
'such as gathering credentials via [Phishing for '
'Information](https://attack.mitre.org/techniques/T1598), '
'purchasing credentials from third-party sites, brute forcing '
'credentials (ex: password reuse from breach credential '
'dumps), or paying employees, suppliers or business partners '
'for access to credentials.(Citation: AnonHBGary)(Citation: '
'Microsoft DEV-0537) Prior to compromising email accounts, '
'adversaries may conduct Reconnaissance to inform decisions '
'about which accounts to compromise to further their '
'operation. Adversaries may target compromising well-known '
'email accounts or domains from which malicious spam or '
'[Phishing](https://attack.mitre.org/techniques/T1566) emails '
'may evade reputation-based email filtering rules.\n'
'\n'
'Adversaries can use a compromised email account to hijack '
'existing email threads with targets of interest.',
'external_references': [{'external_id': 'T1586.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1586/002'},
{'description': 'Bright, P. (2011, February 15). '
'Anonymous speaks: the inside story '
'of the HBGary hack. Retrieved March '
'9, 2017.',
'source_name': 'AnonHBGary',
'url': 'https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/'},
{'description': 'Microsoft. (2022, March 22). '
'DEV-0537 criminal actor targeting '
'organizations for data exfiltration '
'and destruction. Retrieved March 23, '
'2022.',
'source_name': 'Microsoft DEV-0537',
'url': 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/'}],
'id': 'attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:48:41.309Z',
'name': 'Email Accounts',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Tristan Bennett, Seamless Intelligence',
'Bryan Onel'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.1'}