ID | Name |
---|---|
T1114.001 | Local Email Collection |
T1114.002 | Remote Email Collection |
T1114.003 | Email Forwarding Rule |
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.[1] IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files
or C:\Users\<username>\AppData\Local\Microsoft\Outlook
.[2]
ID | Name | Description |
---|---|---|
G0006 | APT1 |
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.[3] |
S0030 | Carbanak |
Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[4] |
G0114 | Chimera |
Chimera has harvested data from victim's e-mail including through execution of |
S0050 | CosmicDuke |
CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[6] |
S0115 | Crimson |
Crimson contains a command to collect and exfiltrate emails from Outlook.[7] |
S0367 | Emotet |
Emotet has been observed leveraging a module that scrapes email data from Outlook.[8] |
S0363 | Empire |
Empire has the ability to collect emails on a target system.[9] |
S0526 | KGH_SPY | |
S1142 | LunarMail |
LunarMail can capture the recipients of sent email messages from compromised accounts.[11] |
G0059 | Magic Hound |
Magic Hound has collected .PST archives.[12] |
C0002 | Night Dragon |
During Night Dragon, threat actors used RAT malware to exfiltrate email archives.[13] |
S0594 | Out1 | |
S0192 | Pupy |
Pupy can interact with a victim’s Outlook session and look through folders and emails.[15] |
S0650 | QakBot |
QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.[16][17][18] |
G1039 | RedCurl |
RedCurl has collected emails to use in future phishing campaigns.[19] |
S0226 | Smoke Loader |
Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).[20] |
G1035 | Winter Vivern |
Winter Vivern delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited email servers.[21] |
ID | Mitigation | Description |
---|---|---|
M1041 | Encrypt Sensitive Information |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
M1060 | Out-of-Band Communications Channel |
Implement secure out-of-band alerts to notify security teams of unusual local email activities, such as mass forwarding or large attachments being sent, indicating potential data exfiltration attempts.[22] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
DS0022 | File | File Access |
Monitor for unusual processes accessing local email files that may target user email on local systems to collect sensitive information. |