Email Collection: Remote Email Collection

Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

ID: T1114.002
Sub-technique of:  T1114
Tactic: Collection
Platforms: Office 365, Windows
Data Sources: Authentication logs, Email gateway, Mail server, Office 365 trace logs
Version: 1.0
Created: 19 February 2020
Last Modified: 19 February 2020

Procedure Examples

Name Description
APT1

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[11]

APT28

APT28 has collected emails from victim Microsoft Exchange servers.[5]

Dragonfly 2.0

Dragonfly 2.0 accessed email accounts using Outlook Web Access.[6]

FIN4

FIN4 has accessed and hijacked online email communications using stolen credentials.[9][10]

Ke3chang

Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[7]

Leafminer

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[8]

LightNeuron

LightNeuron collects Exchange emails matching rules specified in its configuration.[3]

MailSniper

MailSniper can be used for searching through email in Exchange and Office 365 environments.[1]

SeaDuke

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[2]

Valak

Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.[4]

Mitigations

Mitigation Description
Encrypt Sensitive Information

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Multi-factor Authentication

Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.

Detection

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

References