Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Email Collection

Adversaries may target user email to collect sensitive information from a target.

Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.

Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.

Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.

ID: T1114

Tactic: Collection

Platform:  Windows

Data Sources:  Authentication logs, File monitoring, Process monitoring, Process use of network

Version: 1.0

Examples

NameDescription
APT1

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange servers that has not yet been archived.[1]

APT28

APT28 has collected emails from victim Microsoft Exchange servers.[2]

Backdoor.Oldrea

Backdoor.Oldrea collects address book information from Outlook.[3]

Carbanak

Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[4]

CosmicDuke

CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[5]

Crimson

Crimson contains a command to collect and exfiltrate emails from Outlook.[6]

Dragonfly 2.0

Dragonfly 2.0 accessed email accounts using Outlook Web Access.[7]

Ke3chang

Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[8]

Leafminer

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[9]

Magic Hound

Magic Hound has collected .PST archives.[10]

Pupy

Pupy can interact with a victim’s Outlook session and look through folders and emails.[11]

SeaDuke

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[12]

Smoke Loader

Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).[13]

Mitigation

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Use of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.

Identify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting [14] tools, like AppLocker, [15] [16] or Software Restriction Policies [17] where appropriate. [18]

Detection

There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.

File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.

Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References