1. Home
  2. Techniques
  3. Enterprise
  4. Email Collection
  5. Remote Email Collection

Email Collection: Remote Email Collection

ID Name
T1114.001 Local Email Collection
T1114.002 Remote Email Collection
T1114.003 Email Forwarding Rule

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

ID: T1114.002
Sub-technique of:  T1114
Tactic: Collection
Platforms: Office Suite, Windows
Contributors: Arun Seelagan, CISA
Version: 1.3
Created: 19 February 2020
Last Modified: 14 October 2024
Version Permalink

Procedure Examples

ID Name Description
G0006 APT1

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[1]
G0007 APT28

APT28 has collected emails from victim Microsoft Exchange servers.[2][3]
G0016 APT29

APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.[4][5]
G0114 Chimera

Chimera has harvested data from remote mailboxes including through execution of \\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.[6]
G0035 Dragonfly

Dragonfly has accessed email accounts using Outlook Web Access.[7]
G0085 FIN4

FIN4 has accessed and hijacked online email communications using stolen credentials.[8][9]
G0125 HAFNIUM

HAFNIUM has used web shells to export mailbox data.[10][11]
C0038 HomeLand Justice

During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[12]
G0004 Ke3chang

Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.[13][14]
G0094 Kimsuky

Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.[15]
G0077 Leafminer

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[16]
S0395 LightNeuron

LightNeuron collects Exchange emails matching rules specified in its configuration.[17]
G0059 Magic Hound

Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet New-MailboxExportRequest.[18][19]
S0413 MailSniper

MailSniper can be used for searching through email in Exchange and Office 365 environments.[20]
S0053 SeaDuke

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[21]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.[22][23]
G1033 Star Blizzard

Star Blizzard has remotely accessed victims' email accounts to steal messages and attachments.[24]
S0476 Valak

Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.[25]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
M1032 Multi-factor Authentication

Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.
M1060 Out-of-Band Communications Channel

Use secure out-of-band authentication methods to verify the authenticity of critical actions initiated via email, such as password resets, financial transactions, or access requests.

For highly sensitive information, utilize out-of-band communication channels instead of relying solely on email. This reduces the risk of sensitive data being collected through compromised email accounts.

Set up out-of-band alerts to notify security teams of unusual email activities, such as mass forwarding or large attachments being sent, which could indicate email collection attempts.

Create plans for leveraging a secure out-of-band communications channel, rather than an existing in-network email server, in case of a security incident.[26]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

In Office365 environments, consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.[27]
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.
DS0028 Logon Session Logon Session Creation

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

Analytic 1 - Suspicious actor IPs, unusual user agents (e.g., malware, scripting interpreters like PowerShell, Python), anomalous login times

Note: To detect suspicious logon session creation activities related to remote email collection.

index="azure_ad_signin_logs" Resource="Office 365 Exchange Online" AND (UserAgent="PowerShell" OR UserAgent="AADInternals")| stats count by UserAgent, UserID, IPAddress, Location| where IPAddress!="expected_ip" OR Location!="expected_location"
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  3. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  4. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  5. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  6. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  7. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  8. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  9. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  10. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  11. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  12. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  13. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  14. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  1. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  2. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  3. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  4. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  5. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  6. Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.
  7. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  8. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  9. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  10. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
  11. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  12. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.
  13. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.