Skip to content

T1114 Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.31 Adversaries can collect or forward email from mail servers or clients.

Item Value
ID T1114
Sub-techniques T1114.001, T1114.002, T1114.003
Tactics TA0009
Platforms Linux, Office Suite, Windows, macOS
Version 2.6
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G1003 Ember Bear Ember Bear attempts to collect mail from accessed systems and servers.89
S0367 Emotet Emotet has been observed leveraging a module that can scrape email addresses from Outlook.564
G0059 Magic Hound Magic Hound has compromised email credentials in order to steal sensitive data.11
G1015 Scattered Spider Scattered Spider searched the victim’s Microsoft Exchange for emails about the intrusion and incident response.12
G0122 Silent Librarian Silent Librarian has exfiltrated entire mailboxes from compromised accounts.10
S1201 TRANSLATEXT TRANSLATEXT has exfiltrated collected email addresses to the C2 server.7

Mitigations

ID Mitigation Description
M1047 Audit Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.
M1041 Encrypt Sensitive Information Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
M1032 Multi-factor Authentication Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.
M1060 Out-of-Band Communications Channel Use secure out-of-band authentication methods to verify the authenticity of critical actions initiated via email, such as password resets, financial transactions, or access requests. For highly sensitive information, utilize out-of-band communication channels instead of relying solely on email to prevent adversaries from collecting data through compromised email accounts.3

References

  1. CISA. (2021, April 15). Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. Retrieved August 30, 2024. 

  2. McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019. 

  3. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024. 

  4. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023. 

  5. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019. 

  6. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. 

  7. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024. 

  8. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. 

  9. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. 

  10. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. 

  11. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. 

  12. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.