Skip to content

DET0476 Email Collection via Local Email Access and Auto-Forwarding Behavior

Item Value
ID DET0476
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1114 (Email Collection)

Analytics

Windows

AN1309

Correlates creation of email forwarding rules or header anomalies (e.g., X-MS-Exchange-Organization-AutoForwarded) with suspicious process execution, file access of .pst/.ost files, and network connections to external SMTP servers.

Log Sources
Data Component Name Channel
Network Share Access (DC0102) WinEventLog:Security EventCode=5145
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Application Log Content (DC0038) WinEventLog:Application Exchange logs or header artifacts
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
TimeWindow Defines correlation window across email rule creation and outbound SMTP.
UserContext Filters for admin or service accounts to reduce false positives.
SMTPDomainList Allows tuning based on expected external email domains.

Linux

AN1310

Detects file access to mbox/maildir files in conjunction with curl/wget/postfix execution, or anomalous shell scripts harvesting user mail directories.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open
Network Connection Creation (DC0082) linux:syslog postfix/smtpd
Process Creation (DC0032) linux:osquery process_events
Mutable Elements
Field Description
WatchedMailDirs Specify user mail directories (/var/mail, ~/Maildir)
ProcessNameList Tune based on local mail clients or curl usage in environment
TimeWindow Define how close together access and exfil events must occur

macOS

AN1311

Monitors Mail.app database or maildir file access, automation via AppleScript, and abnormal mail rule creation using scripting or UI automation frameworks.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog Mail or AppleScript subsystem
File Access (DC0055) macos:endpointsecurity es_event_open, es_event_exec
Mutable Elements
Field Description
ScriptProcessNameList Script interpreters or automation tools (osascript, Automator, etc.)
WatchedMailFiles Mail.app SQLite DB or .emlx directory

Office Suite

AN1312

Correlates unusual auto-forwarding rule creation via Exchange Web Services or Outlook rules engine, presence of X-MS-Exchange-Organization-AutoForwarded headers, and logon session anomalies from abnormal IPs.

Log Sources
Data Component Name Channel
Command Execution (DC0064) m365:unified Set-Mailbox, New-InboxRule
Application Log Content (DC0038) m365:exchange MessageTrace logs
Logon Session Creation (DC0067) azure:ad SignInEvents
Mutable Elements
Field Description
UserAgentList Restrict rules from non-browser agents
ExternalSMTPDomainList Allow listing for org-sanctioned forwarding domains
TimeWindow Time delta between rule creation and suspicious sign-in