Skip to content

T1114 Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.

Item Value
ID T1114
Sub-techniques T1114.001, T1114.002, T1114.003
Tactics TA0009
Platforms Google Workspace, Linux, Office 365, Windows, macOS
Version 2.4
Created 31 May 2017
Last Modified 12 April 2023

Procedure Examples

ID Name Description
G0059 Magic Hound Magic Hound has compromised email credentials in order to steal sensitive data.2
G0122 Silent Librarian Silent Librarian has exfiltrated entire mailboxes from compromised accounts.3


ID Mitigation Description
M1047 Audit Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.
M1041 Encrypt Sensitive Information Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
M1032 Multi-factor Authentication Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Access
DS0028 Logon Session Logon Session Creation
DS0029 Network Traffic Network Connection Creation