Gather victim identity information (T1589)

Q: How does Log360 detect credential stuffing from harvested credentials?

Log360 detects credential stuffing through authentication event correlation across Windows, Active Directory, and Microsoft 365. The Notable Account Lockouts rule fires when repeated failed authentication attempts trigger lockout events across multiple accounts — the primary signature of bulk credential testing from breach databases. The MFA Challenge Failed During Authentication rule (M365) detects successful password authentication immediately followed by MFA failure, indicating attackers possess valid current passwords but cannot satisfy the MFA requirement. A custom threshold rule detecting failed authentication across 10 or more distinct accounts within a 5-minute window from a single source IP further distinguishes T1589-driven bulk credential testing from individual user errors.

Q: What is the difference between gather victim identity information (T1589) and phishing for information (T1598)?

T1589 (Gather Victim Identity Information) is a passive reconnaissance technique where adversaries collect identity data from external sources — breach repositories, LinkedIn, company websites, and GitHub — without any direct interaction with the target organization. T1598 (Phishing for Information) is an active technique where adversaries send phishing communications specifically designed to elicit sensitive information from targets, such as spear-phishing emails requesting credentials or internal data. T1589 feeds the intelligence that makes T1598 more convincing: employee names, roles, and organizational hierarchy harvested via T1589 inform the pretexts used in T1598 spear-phishing campaigns. T1589 generates no log events in the target; T1598 may generate email delivery and link-click events.

Q: Which log sources detect T1589 downstream indicators?

T1589 downstream weaponization is detected across three log source categories in Log360. Windows and Active Directory event logs surface authentication failures (Event ID 4625) and account lockouts (Event ID 4740) from on-premises credential stuffing. Microsoft 365 audit logs provide the richest downstream visibility: MFA Challenge Failed During Authentication, Login to Disabled Account, Risky Sign-in with Device Registration, M365 Short Lived Accounts, and Temporary Access Pass Added rules all correlate M365 authentication events against T1589 weaponization patterns. UEBA behavioral baselines across all three sources add first-seen country and first-seen device anomaly detection that catches successful authentications with harvested credentials where threshold-based rules did not fire.

Q: How can MFA prevent T1589 credential weaponization?

MFA is the single most effective control against T1589 credential weaponization. Even when attackers possess valid current passwords sourced from breach databases, MFA prevents them from completing authentication. Credential stuffing attacks are neutralized entirely when MFA is universally enforced — the attacker can confirm password validity but cannot proceed to access. For maximum protection, configure Entra ID Conditional Access policies requiring compliant device status and named location restrictions for administrative accounts, disable legacy authentication protocols that bypass MFA, and monitor for MFA enrollment changes that could indicate an attacker with valid credentials attempting to register an attacker-controlled authenticator. Log360's MFA failure correlation rules surface the pattern of valid-password-but-failed-MFA attempts, enabling analysts to identify accounts where breach credentials are valid before any successful intrusion occurs.

How adversaries harvest credentials and identity data from breach databases and dark web sources, and how Log360 detects downstream weaponization through authentication anomaly correlation.

Apr 16, 2026 ManageEngine Security Team

Download a 30-day, free trial

What is gather victim identity information (T1589)?

Gather victim identity information is a MITRE ATT&CK® reconnaissance technique in which adversaries collect identity-related data about target organization personnel before initiating an intrusion. Unlike active techniques that probe an organization's infrastructure directly, T1589 is entirely passive. Adversaries aggregate identity data from public and semi-public sources including breach credential repositories, corporate websites, LinkedIn profiles, job postings, and email format enumeration, without generating any traffic that the target organization can observe.

The identity data harvested through T1589 directly enables two downstream attack vectors: credential-based initial access using T1078 (valid accounts), where harvested username-password pairs from breach databases are tested against the organization's authentication endpoints. The second is highly targeted spear-phishing via T1566, where employee names, roles, and organizational hierarchy inform convincing pretexts. Understanding these downstream risks is core to any MITRE ATT&CK framework detection strategy. This is why detecting T1589 has operational security value even though the collection itself is invisible. The downstream authentication anomalies that follow credential testing are detectable, and catching them early limits the window between credential harvesting and successful intrusion.

T1589 in the ATT&CK chain: T1589 is part of Reconnaissance (TA0043). Harvested identity data directly feeds T1078 (valid accounts) for credential-based initial access and T1566 (phishing) for targeted social engineering. Log360 cannot detect the collection phase (which occurs entirely externally), but detects the downstream weaponization: credential stuffing via authentication failure correlation, MFA bypass attempts, and first-seen location sign-in anomalies in Windows, Active Directory, and Microsoft 365 environments.

How attackers harvest identity data

T1589 identity reconnaissance uses a layered approach, combining automated tools with manual open source intelligence techniques to build a comprehensive identity dossier before engaging the target:

Credential breach databases: Repositories such as Have I Been Pwned, LeakBase, RaidForums, and dark web credential markets contain billions of email-password combinations from past data breaches. Attackers query these sources against target email domains (e.g., @company.com) to instantly obtain a list of employee credentials with previously used passwords. Even if passwords have been changed, older breach passwords are tested first as many users recycle passwords with minor variations. Organizations can reduce exposure by enabling dark web monitoring to receive alerts when employee credentials appear in breach repositories.
Email enumeration: Attackers enumerate valid email addresses by probing SMTP servers (RCPT TO enumeration), using Microsoft 365's user enumeration endpoint behavior, querying email verification APIs, and analyzing patterns in publicly disclosed addresses (first.last@company.com vs first_last@company.com). A confirmed email format and valid address list enables both credential testing and targeted phishing attack campaigns.
LinkedIn and professional networks: LinkedIn provides adversaries with an organizational hierarchy, employee roles, tenure, technical skills (revealing what software the organization uses), and contact information, all without triggering any target-side detection. Adversaries build employee target lists for executive impersonation, social engineering pretext construction, and identifying which accounts would have the highest-value access if compromised.
Corporate websites and job postings: "About us" pages and job postings reveal technology stack (job descriptions mention specific software versions), team structures, and operational processes. A job posting for "Splunk administrator" confirms the technology stack that can be used for targeted phishing pretexts or CVE-based initial access planning.
GitHub and code repositories: Public repositories containing organization code often expose hardcoded credentials, API keys, internal endpoint URLs, and employee email addresses in commit history. GitHub organization members and contributor lists reveal developer identity and potentially their access levels within the organization's systems.

T1589 in ransomware initial access chains

Multiple documented ransomware group TTPs begin with T1589 identity reconnaissance:

Credential stuffing for VPN/RDP access: Ransomware affiliates commonly acquire breach credential lists targeting organization email domains, then conduct bulk testing against publicly exposed VPN portals and RDP endpoints. Proactive ransomware detection at the authentication layer is the earliest intervention point in this attack chain. Username-password validity is confirmed before attempting MFA bypass or SIM-swapping services for accounts without MFA enabled.
Business email compromise (BEC) pretexting: Financial and executive impersonation BEC attacks rely on T1589 identity reconnaissance to identify finance team members, accounts payable personnel, and their reporting relationships. Business email compromise is one of the highest-cost outcomes of successful T1589 identity harvesting. The more accurately an attacker can impersonate an internal figure, the higher the success rate of BEC financial fraud.
Insider threat simulation: Nation-state groups, categorized as advanced persistent threats, have been documented constructing synthetic persona accounts that mirror real employee profiles on LinkedIn and professional networks to facilitate supply chain attacks. Monitoring insider threats and anomalous access patterns is essential for detecting these impersonation-driven intrusions.

Sub-techniques

MITRE ATT&CK documents three T1589 sub-techniques representing distinct categories of identity data collection. Each sub-technique maps to specific downstream attack TTPs tracked in the MITRE ATT&CK and MITRE D3FEND frameworks:

T1589.001 — Credentials: Harvesting valid username-password pairs or password hashes from data breach repositories, dark web markets, and credential dumping services. The harvested credentials are then tested against authentication endpoints (VPN, cloud portals, email) in credential stuffing campaigns. This sub-technique has the most direct and immediate impact on organizational security: a single valid credential pair can provide immediate initial access if MFA is not enforced.
T1589.002 — Email Addresses: Enumerating valid email addresses within the target organization through SMTP probing, Microsoft 365 user enumeration, and pattern inference from disclosed employee emails. A confirmed list of valid organizational email addresses enables targeted phishing, BEC campaigns, and provides the username component for credential testing. Email harvesting can be performed entirely through legitimate Microsoft 365 API behavior that does not require authentication.
T1589.003 — Employee Names: Collecting employee names, roles, organizational positions, and reporting relationships from LinkedIn, company websites, conference speaker lists, and professional publications. This identity mapping is the foundation for executive impersonation attacks, social engineering pretexts, insider threat simulation, and identifying which accounts represent the highest-value compromise targets based on their role and system access.

Detection approach

T1589 identity collection occurs entirely outside organizational infrastructure, making direct SIEM detection of the collection phase impossible. The detection strategy focuses on the operational use of harvested identity data: the authentication events, MFA failures, and anomalous sign-ins that indicate collected credentials are being weaponized:

Authentication failure burst detection

Credential stuffing using breach data produces a characteristic authentication event pattern: a high volume of failed logon attempts across multiple different accounts within a compressed time window, originating from a small number of source IPs. Unlike a brute force attack (T1110) that tries many passwords against one account, credential stuffing tests known passwords across many accounts. Log360's account lockout correlation rules and multi-account failure threshold rules detect this pattern across Windows (Event ID 4625, 4740) and Microsoft 365 authentication events.

MFA failure and bypass pattern detection

When harvested credentials include valid current passwords, attackers will present correct password authentication but fail MFA challenges. A pattern of successful password authentication immediately followed by MFA failure, particularly from unusual locations or new devices, indicates that breach data contains valid current passwords for your organization. Log360's M365 rules specifically target MFA Challenge Failed During Authentication and Risky Sign-in with Device Registration, which surface this pattern.

First-seen location and device anomaly detection

Breach credential use frequently comes from attacker-controlled infrastructure (VPS, residential proxies, Tor exit nodes) with geographic origins inconsistent with the legitimate user's authentication history. Log360's user behavior analytics and behavioral baseline capabilities detect first-seen-country and first-seen-device sign-in events that represent high-probability indicators of harvested credential use, separate from failed authentication events where the attacker has the correct current password. Anomaly detection in these sign-in patterns provides a critical secondary detection layer beyond threshold-based rules.

Email account enumeration probe detection

Microsoft 365 sign-in logs surface invalid username attempts: authentication requests to email addresses that do not exist in the tenant. A burst of sign-in attempts for non-existent usernames with no corresponding password attempts indicates T1589.002 email address enumeration against the M365 tenant, as attackers probe to confirm which email pattern variations (first.last vs flast vs f.last) return valid vs invalid user errors.

Detection coverage note: T1589 identity collection is a passive pre-intrusion technique that generates no events in the target organization's log sources at collection time. Log360 detects the downstream consequences of T1589 (authentication anomalies, MFA failures, and credential stuffing patterns) through M365 audit log correlation, Windows authentication event analysis, and behavioral baseline comparison. Organizations seeking proactive protection against T1589 should combine Log360's downstream detection with external credential monitoring services (dark web alerts, breach notification feeds) to detect exposure before credentials are weaponized. See the Log360 detection rules library for the complete ruleset.

Log360 detection capabilities

Log360 detects T1589 downstream weaponization through authentication event monitoring across Windows, Active Directory, and Microsoft 365 environments:

Detection capability	Platform	What it detects
Notable account lockouts	Windows / Active Directory	Bulk account lockout events from high-volume failed authentication attempts, which is the primary credential stuffing signature when breach credential lists are tested against on-premises Active Directory and Windows authentication endpoints
MFA Challenge Failed During Authentication	Microsoft 365	Successful password authentication immediately followed by MFA challenge failure, indicating attackers possess valid current passwords from breach data but cannot bypass the MFA layer; high-confidence indicator of active credential stuffing with breach data
Login to Disabled Account	Microsoft 365	Authentication attempts against accounts that have been administratively disabled; attackers using stale breach data attempt logins against accounts that organizations have disabled, providing a nearly zero-false-positive detection signal for active credential misuse from older breach datasets
Risky Sign-in with Device Registration	Microsoft 365	Sign-in attempts from unfamiliar devices combined with simultaneous device registration attempts; attackers using valid harvested credentials attempt device registration to bypass device-based conditional access policies protecting M365 resources
M365 Short Lived Accounts	Microsoft 365	Accounts created and used within very short windows; T1589 identity reconnaissance sometimes supports account creation for impersonation; short-lived account patterns indicate adversary-created temporary access vehicles rather than legitimate user lifecycle operations
Temporary Access Pass Added To An Account	Microsoft 365	Addition of temporary access passes to user accounts; adversaries with T1589-sourced credentials who have achieved M365 tenant access may add temporary access passes to establish persistent alternative authentication paths that bypass standard MFA requirements
Multi-account authentication failure correlation [Custom/Recommended]	Windows / AD / M365	Custom threshold rule detecting failed authentication across 10+ distinct accounts within a 5-minute window from a single source IP or IP range, which is the credential stuffing pattern that distinguishes T1589-driven bulk credential testing from individual user password errors

Investigation steps

When authentication anomaly rules surface a potential T1589 downstream event, the investigation goal is to determine whether harvested credentials have been successfully used and what access the attacker has obtained:

Profile the authentication source: Identify the source IP addresses generating the authentication failures. Enrich with Log360's threat intelligence integration: known VPN exit nodes, residential proxy networks, and credential-testing services operate from identifiable IP ranges. A source IP on threat intel lists combined with multi-account authentication failures is a near-certain credential stuffing indicator. Geolocate the source and compare against the target accounts' typical authentication locations.
Identify which accounts were targeted: Extract the complete list of accounts that received failed authentication attempts from the implicated source. Determine whether any accounts produced a successful authentication after the failure burst; a successful sign-in from the same source IP that was generating failures indicates at least one valid credential pair from the breach data. Immediately isolate any successfully authenticated accounts for investigation.
Assess the successful authentication scope: For any account that authenticated successfully from the suspicious source, review all activity in the post-authentication session: emails accessed, files downloaded, M365 applications used, Azure resource access, and any administrative actions. This establishes the blast radius of the credential compromise before any response action. Use Log360's threat investigation workflows to correlate these events into a unified incident timeline.
Check for MFA enrollment manipulation: Attackers with valid credentials will often attempt to modify MFA enrollment to add an attacker-controlled phone number or authenticator app. Review MFA method changes, conditional access policy assignments, and authentication method administrator actions for all targeted accounts in the 24-hour period following the credential stuffing event.
Review pre-authentication email activity: T1589 email enumeration (T1589.002) against M365 generates failed sign-in events with the error code AADSTS50034 (user account does not exist). Review M365 sign-in logs for clusters of non-existent username attempts that preceded the credential stuffing activity, confirming that T1589.002 email enumeration was used to validate the target account list before credential testing began.

Response playbook

Block and rate-limit identified stuffing sources: Add confirmed credential stuffing source IPs to perimeter block lists and configure authentication endpoint rate limiting. For M365 tenants, implement conditional access policies that require compliant device status or location restrictions for authentication from unknown geographic regions, neutralizing future credential stuffing from attacker-controlled infrastructure.
Force password reset for all targeted accounts: All accounts that received failed authentication attempts from the stuffing source should be treated as potentially exposed. Force password resets to invalidate the breach data credentials, even for accounts that did not authenticate successfully. Combine with a notification to affected users explaining the credential use policy required after a potential breach exposure event.
Enforce MFA universally: Credential stuffing attacks are neutralized by MFA. For any accounts that do not have MFA enrolled, treat this event as the forcing function for immediate MFA enrollment. Configure Log360 alerting on any authentication events reaching password-authenticated-only acceptance states (successful password auth, no MFA required) as a policy compliance monitoring signal.
Review breach exposure for the organization's email domain: Immediately after a T1589 downstream event, query breach notification services (Have I Been Pwned Enterprise, BreachDirectory) for the organization's email domain to identify which employee email addresses appear in known breach datasets. Prioritize password reset and MFA hardening for accounts confirmed in breach data over those with no known exposure.
Conduct threat hunt for successful intrusions: Authentication failure bursts may accompany successful authentications that did not trigger threshold rules (e.g., if the attacker tested credentials slowly over days rather than in a burst). Proactive threat hunting for credential misuse indicators across the preceding 30 days is essential for identifying valid credential uses that predated the bulk testing event that triggered the alert.
Implement conditional access hardening: For M365 environments, configure Entra ID Conditional Access policies requiring compliant device status, named location restrictions for administrative accounts, and sign-in frequency policies that limit session persistence for accounts accessed from unrecognized devices. Pair this with a structured incident response plan that defines escalation paths for confirmed credential compromise events. These controls significantly raise the friction for T1589 downstream credential use even when valid passwords are possessed.

ManageEngine Log360 for T1589 detection

Log360 detects T1589 gather victim identity information downstream weaponization through event correlation across Windows, Active Directory, and Microsoft 365, surfacing credential stuffing patterns, MFA bypass attempts, and first-seen-location authentication anomalies that indicate harvested identity data is being operationalized. While direct detection of the passive collection phase is not possible, Log360's downstream detection rules identify credential misuse before attackers achieve sustained access, providing the earliest possible intervention window after breach data has been weaponized against your organization.

Download free trial Schedule a demo

Need to explore ManageEngine Log360? Schedule a personalized demo

Frequently asked questions

What is gather victim identity information (T1589) in MITRE ATT&CK?

Gather victim identity information (T1589) is a MITRE ATT&CK pre-intrusion reconnaissance technique where adversaries collect identity data about target organization employees, including credentials from breach databases (T1589.001), valid email addresses (T1589.002), and employee names and roles from LinkedIn and company websites (T1589.003). This passive collection occurs entirely outside the organization's infrastructure. It is part of TA0043 (Reconnaissance) and feeds downstream T1078 (credential-based initial access) and T1566 (targeted phishing campaigns).

How does Log360 detect credential stuffing from harvested credentials?

Log360 detects credential stuffing through authentication failure burst correlation: multi-account lockout events from a single source IP, MFA Challenge Failed During Authentication (M365), and Login to Disabled Account (M365) rules that surface active breach credential testing. For the complete authentication anomaly detection approach, see the Log360 detection rules library covering Windows, AD, and M365 authentication event rules.

What is the difference between gather victim identity information (T1589) and phishing for information (T1598)?

Gather victim identity information (T1589) is passive collection from existing sources (breach databases, LinkedIn, and corporate websites) that generates no target-side events. Phishing for information (T1598) is active elicitation where attackers contact targets directly to harvest credentials or identity data. Both feed downstream initial access objectives, but T1598 may be detectable through email gateway logs. See the TA0043 reconnaissance detection guide for the full technique coverage map.

Which log sources detect T1589 downstream indicators?

T1589 downstream detection requires authentication log sources: Windows Event ID 4625 (failed logon), 4740 (account lockout), M365 sign-in audit logs, and Entra ID (Azure AD) sign-in logs with risk event data. Log360 collects and correlates all these sources. For M365 environments, enabling Entra ID Identity Protection and integrating its risk signal with Log360 provides the most comprehensive coverage of T1589 credential misuse patterns. See the TA0043 reconnaissance guide for the full log source requirements.

How can MFA prevent T1589 credential weaponization?

MFA is the single most effective control against T1589 downstream impact. A harvested valid password is insufficient for initial access when MFA is enforced, converting the attacker's intelligence investment into a dead end. Log360 detects MFA fatigue attacks (repeated MFA push notifications from attackers hoping users will accidentally approve) and MFA enrollment manipulation (attackers attempting to add their own device to a compromised account's MFA methods) as secondary detection layers when MFA cannot be bypassed. See the TA0043 reconnaissance detection guide for the broader reconnaissance defense strategy.

On this page