T1114.002 Remote Email Collection
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user’s credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
Item | Value |
---|---|
ID | T1114.002 |
Sub-techniques | T1114.001, T1114.002, T1114.003 |
Tactics | TA0009 |
Platforms | Google Workspace, Office 365, Windows |
Version | 1.1 |
Created | 19 February 2020 |
Last Modified | 25 March 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0006 | APT1 | APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.10 |
G0007 | APT28 | APT28 has collected emails from victim Microsoft Exchange servers.89 |
G0016 | APT29 | APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant.16 |
G0114 | Chimera | Chimera has harvested data from remote mailboxes including through execution of \ .14 |
G0035 | Dragonfly | Dragonfly has accessed email accounts using Outlook Web Access.7 |
G0085 | FIN4 | FIN4 has accessed and hijacked online email communications using stolen credentials.65 |
G0125 | HAFNIUM | HAFNIUM has used web shells to export mailbox data.1213 |
G0004 | Ke3chang | Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.1920 |
G0094 | Kimsuky | Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.15 |
G0077 | Leafminer | Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.11 |
S0395 | LightNeuron | LightNeuron collects Exchange emails matching rules specified in its configuration.4 |
G0059 | Magic Hound | Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet New-MailboxExportRequest. 1817 |
S0413 | MailSniper | MailSniper can be used for searching through email in Exchange and Office 365 environments.1 |
S0053 | SeaDuke | Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.2 |
C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest .2122 |
S0476 | Valak | Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.3 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1041 | Encrypt Sensitive Information | Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
M1032 | Multi-factor Authentication | Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0028 | Logon Session | Logon Session Creation |
DS0029 | Network Traffic | Network Connection Creation |
References
-
Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019. ↩
-
Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. ↩
-
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. ↩
-
Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. ↩
-
Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. ↩
-
Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. ↩
-
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. ↩
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩
-
Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. ↩
-
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. ↩
-
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. ↩
-
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. ↩
-
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. ↩
-
Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. ↩
-
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. ↩
-
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩