DET0047 Detect Local Email Collection via Outlook Data File Access and Command Line Tooling

Item	Value
ID	DET0047
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1114.001 (Local Email Collection)

Analytics

Windows

AN0130

Detection focuses on processes that attempt to locate, access, or exfiltrate local Outlook data files (.pst/.ost) using file system access, native Windows utilities (e.g., PowerShell, WMI), or remote access tools with file browsing capabilities. The behavior chain includes directory enumeration, file access, optional compression or staging, and network transfer.

Log Sources

Data Component	Name	Channel
File Access (DC0055)	WinEventLog:Security	EventCode=4663, 4670, 4656
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
TargetFilePathPattern	Regex or wildcard patterns for sensitive Outlook file paths (.ost/.pst) depending on organizational deployment.
TimeWindow	Timeframe used to correlate related file access, process creation, and exfiltration events.
UserContext	Limit detection to user accounts not normally interacting with Outlook file locations (e.g., service accounts, low-privileged users).
ProcessAllowList	Filter known legitimate Outlook-accessing processes to reduce false positives.