T1114 Email Collection
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
| Item | Value |
|---|---|
| ID | T1114 |
| Sub-techniques | T1114.001, T1114.002, T1114.003 |
| Tactics | TA0009 |
| Platforms | Google Workspace, Linux, Office 365, Windows, macOS |
| Version | 2.4 |
| Created | 31 May 2017 |
| Last Modified | 12 April 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0059 | Magic Hound | Magic Hound has compromised email credentials in order to steal sensitive data.2 |
| G0122 | Silent Librarian | Silent Librarian has exfiltrated entire mailboxes from compromised accounts.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis. |
| M1041 | Encrypt Sensitive Information | Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
| M1032 | Multi-factor Authentication | Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0028 | Logon Session | Logon Session Creation |
| DS0029 | Network Traffic | Network Connection Creation |
References
-
McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019. ↩
-
Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. ↩
-
DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. ↩
-
Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021. ↩
-
Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023. ↩