ID | Name |
---|---|
T1114.001 | Local Email Collection |
T1114.002 | Remote Email Collection |
T1114.003 | Email Forwarding Rule |
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
ID | Name | Description |
---|---|---|
G0006 | APT1 |
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[1] |
G0007 | APT28 |
APT28 has collected emails from victim Microsoft Exchange servers.[2][3] |
G0016 | APT29 |
APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.[4][5] |
G0114 | Chimera |
Chimera has harvested data from remote mailboxes including through execution of |
G0035 | Dragonfly |
Dragonfly has accessed email accounts using Outlook Web Access.[7] |
G0085 | FIN4 |
FIN4 has accessed and hijacked online email communications using stolen credentials.[8][9] |
G0125 | HAFNIUM | |
G0004 | Ke3chang |
Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.[12][13] |
G0094 | Kimsuky |
Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.[14] |
G0077 | Leafminer |
Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[15] |
S0395 | LightNeuron |
LightNeuron collects Exchange emails matching rules specified in its configuration.[16] |
G0059 | Magic Hound |
Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet |
S0413 | MailSniper |
MailSniper can be used for searching through email in Exchange and Office 365 environments.[19] |
S0053 | SeaDuke |
Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[20] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 collected emails from specific individuals, such as executives and IT staff, using |
S0476 | Valak |
Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.[23] |
ID | Mitigation | Description |
---|---|---|
M1041 | Encrypt Sensitive Information |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
M1032 | Multi-factor Authentication |
Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
In Office365 environments, consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.[24] |
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. |
DS0028 | Logon Session | Logon Session Creation |
Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account). |
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. |