Adversaries may target user email to collect sensitive information from a target.
Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.
Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.
|APT1||APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange servers that has not yet been archived. |
|APT28||APT28 has collected emails from victim Microsoft Exchange servers. |
|Backdoor.Oldrea||Backdoor.Oldrea collects address book information from Outlook. |
|Carbanak||Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server. |
|CosmicDuke||CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration. |
|Crimson||Crimson contains a command to collect and exfiltrate emails from Outlook. |
|Dragonfly 2.0||Dragonfly 2.0 accessed email accounts using Outlook Web Access. |
|Emotet||Emotet has been observed leveraging a module that scrapes email data from Outlook. |
|Empire||Empire has the ability to collect emails on a target system. |
|FIN4||FIN4 has accessed and hijacked email communications using stolen credentials.  |
|Ke3chang||Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes. |
|Leafminer||Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords. |
|LightNeuron||LightNeuron collects emails matching rules specified in its configuration. |
|Magic Hound||Magic Hound has collected .PST archives. |
|Pupy||Pupy can interact with a victim’s Outlook session and look through folders and emails. |
|Ruler||Ruler can be used to enumerate Exchange users and dump the GAL. |
|SeaDuke||Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials. |
|Smoke Loader||Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.). |
|TrickBot||TrickBot collects email addresses from Outlook. |
|Encrypt Sensitive Information||Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.|
|Multi-factor Authentication||Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.|
There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.
Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
- Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
- Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.