T1114 Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.

Item	Value
ID	T1114
Sub-techniques	T1114.001, T1114.002, T1114.003
Tactics	TA0009
Platforms	Google Workspace, Linux, Office 365, Windows, macOS
Permissions required	User
Version	2.3
Created	31 May 2017
Last Modified	15 October 2021

Procedure Examples

ID	Name	Description
G0059	Magic Hound	Magic Hound has compromised email credentials in order to steal sensitive data.³
G0122	Silent Librarian	Silent Librarian has exfiltrated entire mailboxes from compromised accounts.²

Mitigations

ID	Mitigation	Description
M1047	Audit	Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.
M1041	Encrypt Sensitive Information	Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
M1032	Multi-factor Authentication	Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.

Detection

ID	Data Source	Data Component
DS0015	Application Log	Application Log Content
DS0017	Command	Command Execution
DS0022	File	File Access
DS0028	Logon Session	Logon Session Creation
DS0029	Network Traffic	Network Connection Creation

References

McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019. ↩
DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. ↩
Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. ↩