1. Home
  2. Techniques
  3. Enterprise
  4. Email Collection
  5. Local Email Collection

Email Collection: Local Email Collection

ID Name
T1114.001 Local Email Collection
T1114.002 Remote Email Collection
T1114.003 Email Forwarding Rule

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.[1] IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.[2]

ID: T1114.001
Sub-technique of:  T1114
Tactic: Collection
Platforms: Windows
Version: 1.1
Created: 19 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0006 APT1

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.[3]
S0030 Carbanak

Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[4]
G0114 Chimera

Chimera has harvested data from victim's e-mail including through execution of wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst"
copy.[5]
S0050 CosmicDuke

CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[6]
S0115 Crimson

Crimson contains a command to collect and exfiltrate emails from Outlook.[7]
S0367 Emotet

Emotet has been observed leveraging a module that scrapes email data from Outlook.[8]
S0363 Empire

Empire has the ability to collect emails on a target system.[9]
S0526 KGH_SPY

KGH_SPY can harvest data from mail clients.[10]
S1142 LunarMail

LunarMail can capture the recipients of sent email messages from compromised accounts.[11]
G0059 Magic Hound

Magic Hound has collected .PST archives.[12]
G1054 MirrorFace

MirrorFace has exfiltrated stored emails from compromised hosts.[13]
C0002 Night Dragon

During Night Dragon, threat actors used RAT malware to exfiltrate email archives.[14]
S0594 Out1

Out1 can parse e-mails on a target machine.[15]
S0192 Pupy

Pupy can interact with a victim’s Outlook session and look through folders and emails.[16]
S0650 QakBot

QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.[17][18][19]
G1039 RedCurl

RedCurl has collected emails to use in future phishing campaigns.[20]
G1041 Sea Turtle

Sea Turtle collected email archives from victim environments.[21]
S0226 Smoke Loader

Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).[22]
G1035 Winter Vivern

Winter Vivern delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited email servers.[23]
G0090 WIRTE

WIRTE has collected documents from victims' email accounts.[24]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
M1060 Out-of-Band Communications Channel

Implement secure out-of-band alerts to notify security teams of unusual local email activities, such as mass forwarding or large attachments being sent, indicating potential data exfiltration attempts.[25]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0047 Detect Local Email Collection via Outlook Data File Access and Command Line Tooling AN0130

Detection focuses on processes that attempt to locate, access, or exfiltrate local Outlook data files (.pst/.ost) using file system access, native Windows utilities (e.g., PowerShell, WMI), or remote access tools with file browsing capabilities. The behavior chain includes directory enumeration, file access, optional compression or staging, and network transfer.

References

  1. N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020.
  2. Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020.
  3. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  4. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  5. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  6. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  7. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  8. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  9. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  10. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  11. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  12. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
  13. Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.
  1. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  2. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  3. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  4. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  5. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024.
  6. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  7. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  8. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
  9. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  10. Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.
  11. Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.
  12. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.