T1114

Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique.

Microsoft Sentinel / Defender

kusto

// T1114 Email Collection — covers local PST/OST access, bulk remote mailbox enumeration, and forwarding rule creation
let LegitEmailClients = dynamic(["outlook.exe", "thunderbird.exe", "SearchIndexer.exe", "SearchProtocolHost.exe", "MsMpEng.exe", "MsSense.exe", "msedge.exe"]);
let SuspiciousCollectionTools = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "mshta.exe", "robocopy.exe", "xcopy.exe", "7z.exe", "winrar.exe", "rar.exe", "curl.exe", "wget.exe"]);
// Branch 1: Non-email-client processes accessing local email data stores
let LocalEmailAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileRead", "FileCopied", "FileCreated", "FileRenamed")
| where FileName has_any (".pst", ".ost", ".mbox", ".eml", ".msg", ".dbx", ".nsf")
| where InitiatingProcessFileName !in~ (LegitEmailClients)
| where FolderPath has_any (@"AppData\Local\Microsoft\Outlook", @"AppData\Roaming\Thunderbird", @"AppData\Local\Microsoft\Windows Mail", @"AppData\Roaming\Mozilla Thunderbird")
    or InitiatingProcessFileName in~ (SuspiciousCollectionTools)
| project
    Timestamp,
    DeviceName,
    AccountName,
    FileName,
    FolderPath,
    ActionType,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    ReportId,
    DetectionBranch = "LocalEmailCollection";
// Branch 2: High-volume O365 mailbox access suggesting programmatic email harvesting
let RemoteEmailCollection = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("MailItemsAccessed", "MessageBind", "FolderBind")
| where ResultStatus =~ "Succeeded"
| summarize
    AccessCount = count(),
    UniqueIPs = dcount(ClientIP),
    ClientIPSet = make_set(ClientIP, 5),
    UserAgentSet = make_set(UserAgent, 3)
    by UserId, bin(TimeGenerated, 30m)
| where AccessCount > 200 or UniqueIPs > 3
| extend SuspicionFlag = case(
    UserAgentSet has_any ("python", "curl", "requests", "java", "go-http", "urllib"), "AutomationUserAgent",
    UniqueIPs > 3, "MultiIPAccess",
    "HighVolumeAccess")
| project
    Timestamp = TimeGenerated,
    DeviceName = "",
    AccountName = UserId,
    FileName = "",
    FolderPath = "",
    ActionType = strcat("BulkMailboxAccess|", SuspicionFlag),
    InitiatingProcessFileName = tostring(UserAgentSet),
    InitiatingProcessCommandLine = strcat("IPs: ", tostring(ClientIPSet), " | Count: ", tostring(AccessCount)),
    ReportId = "",
    DetectionBranch = "RemoteEmailCollection";
LocalEmailAccess
| union RemoteEmailCollection
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Access Application Log: Application Log Content Microsoft Defender for Endpoint Microsoft 365 Unified Audit Log

Required Tables

DeviceFileEvents OfficeActivity

False Positives

Enterprise backup software (Veeam Agent, Backup Exec, Windows Server Backup) accessing PST/OST files during scheduled backup windows — exclude by known backup service account and initiating process path
Email migration tools (MigrationWiz, BitTitan, native PST import via New-MailboxImportRequest) performing authorized mailbox migrations — coordinate with IT to exclude migration service accounts during migration windows
Anti-virus and EDR scanning engines (MsMpEng.exe, SentinelAgent.exe) reading email files during on-demand or scheduled scans — already excluded by LegitEmailClients list, extend as needed
IT administrators performing authorized mailbox exports for legal holds or e-discovery using Exchange Admin Center or New-MailboxExportRequest PowerShell cmdlet
Microsoft 365 compliance and archiving solutions (Mimecast, Proofpoint Archive, Microsoft Purview) performing high-volume MailItemsAccessed for compliance journaling — exclude known archiving service accounts

Splunk

spl

// T1114 Email Collection — Sysmon file access to local email data stores
// Detects non-email-client processes accessing PST/OST/MBOX/MSG email files
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.pst" OR TargetFilename="*.ost" OR TargetFilename="*.mbox"
   OR TargetFilename="*.eml" OR TargetFilename="*.msg" OR TargetFilename="*.dbx" OR TargetFilename="*.nsf")
  NOT (
    Image="*\\outlook.exe" OR Image="*\\OUTLOOK.EXE"
    OR Image="*\\thunderbird.exe"
    OR Image="*\\SearchIndexer.exe"
    OR Image="*\\SearchProtocolHost.exe"
    OR Image="*\\MsMpEng.exe"
    OR Image="*\\MsSense.exe"
  )
)
| eval SuspicionScore=0
| eval SuspicionScore=if(match(Image, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|python[23]?\.exe|wscript\.exe|cscript\.exe|mshta\.exe)"), SuspicionScore+3, SuspicionScore)
| eval SuspicionScore=if(match(Image, "(?i)(robocopy\.exe|xcopy\.exe|7z\.exe|winrar\.exe|rar\.exe|curl\.exe|wget\.exe)"), SuspicionScore+3, SuspicionScore)
| eval SuspicionScore=if(match(lower(TargetFilename), "(appdata.*outlook|appdata.*thunderbird|appdata.*windows mail)"), SuspicionScore+2, SuspicionScore)
| eval SuspicionScore=if(match(TargetFilename, "(?i)(\.pst$|\.ost$)"), SuspicionScore+1, SuspicionScore)
| eval EmailFileType=case(
    match(TargetFilename, "(?i)\.pst$"), "OutlookPST",
    match(TargetFilename, "(?i)\.ost$"), "OutlookOST",
    match(TargetFilename, "(?i)\.mbox$"), "MboxArchive",
    match(TargetFilename, "(?i)\.msg$"), "OutlookMessage",
    match(TargetFilename, "(?i)\.eml$"), "EmailFile",
    1==1, "OtherEmailFile")
| where SuspicionScore > 0
| eval AccountName=if(isnull(User), "Unknown", User)
| table _time, host, AccountName, Image, CommandLine, TargetFilename, EmailFileType, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

File: File Access File: File Creation Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise backup agents accessing PST/OST files during scheduled backup windows — add backup agent process paths to the NOT exclusion list
Email migration tools (PST import utilities, MigrationWiz agent) performing authorized mailbox data operations during announced migration projects
Anti-virus or EDR agents with non-standard process names that perform file scanning — extend the exclusion list with verified scanner paths
IT automation scripts (SCCM baseline scripts, auditing tools) inventorying email archive files — coordinate expected script hashes with change management
User-initiated archive operations using 7-Zip or WinRAR to compress old PST files for storage — may be legitimate but warrants confirmation with the user

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  "filename" AS TargetFile,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) ILIKE '%Sysmon%'
  AND QIDNAME(qid) ILIKE '%File Create%'
  AND (
    "filename" ILIKE '%.pst'
    OR "filename" ILIKE '%.ost'
    OR "filename" ILIKE '%.mbox'
    OR "filename" ILIKE '%.eml'
    OR "filename" ILIKE '%.msg'
    OR "filename" ILIKE '%.dbx'
    OR "filename" ILIKE '%.nsf'
  )
  AND "Image" NOT ILIKE '%\\outlook.exe'
  AND "Image" NOT ILIKE '%\\OUTLOOK.EXE'
  AND "Image" NOT ILIKE '%\\thunderbird.exe'
  AND "Image" NOT ILIKE '%\\SearchIndexer.exe'
  AND "Image" NOT ILIKE '%\\SearchProtocolHost.exe'
  AND "Image" NOT ILIKE '%\\MsMpEng.exe'
  AND "Image" NOT ILIKE '%\\MsSense.exe'
  AND (
    "Image" ILIKE '%\\powershell.exe'
    OR "Image" ILIKE '%\\pwsh.exe'
    OR "Image" ILIKE '%\\cmd.exe'
    OR "Image" ILIKE '%\\python.exe'
    OR "Image" ILIKE '%\\python3.exe'
    OR "Image" ILIKE '%\\wscript.exe'
    OR "Image" ILIKE '%\\cscript.exe'
    OR "Image" ILIKE '%\\mshta.exe'
    OR "Image" ILIKE '%\\robocopy.exe'
    OR "Image" ILIKE '%\\xcopy.exe'
    OR "Image" ILIKE '%\\7z.exe'
    OR "Image" ILIKE '%\\winrar.exe'
    OR "Image" ILIKE '%\\rar.exe'
    OR "Image" ILIKE '%\\curl.exe'
    OR "Image" ILIKE '%\\wget.exe'
    OR "filename" ILIKE '%AppData%Outlook%'
    OR "filename" ILIKE '%AppData%Thunderbird%'
    OR "filename" ILIKE '%AppData%Windows Mail%'
  )
  AND LOGSOURCETYPENAME(logsourceid) NOT ILIKE '%Flow%'
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Sysmon log source Microsoft Windows Sysmon DSM

Required Tables

events

False Positives

Enterprise backup agents (Commvault, NetBackup, Veeam) accessing PST files as part of scheduled mailbox backup jobs
Legal eDiscovery tools using command-line interfaces to collect email archives for compliance or litigation holds
IT migration scripts during Office 365 onboarding that copy local PST files to upload to Exchange Online

Sumo Logic CSE

sql

// T1114 Email Collection - Local email data store access by suspicious processes
_sourceCategory=*windows*sysmon* EventID=11
| parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as TargetFilename nodrop
| parse "<Image><![CDATA[*]]></Image>" as Image nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as CommandLine nodrop
| parse "<User>*</User>" as User nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| where TargetFilename matches "*.pst"
  or TargetFilename matches "*.ost"
  or TargetFilename matches "*.mbox"
  or TargetFilename matches "*.eml"
  or TargetFilename matches "*.msg"
  or TargetFilename matches "*.dbx"
  or TargetFilename matches "*.nsf"
| where !(Image matches "*\\outlook.exe"
  or Image matches "*\\OUTLOOK.EXE"
  or Image matches "*\\thunderbird.exe"
  or Image matches "*\\SearchIndexer.exe"
  or Image matches "*\\SearchProtocolHost.exe"
  or Image matches "*\\MsMpEng.exe"
  or Image matches "*\\MsSense.exe"
  or Image matches "*\\msedge.exe")
| eval SuspicionScore = 0
| eval SuspicionScore = if(Image matches "*\\powershell.exe" or Image matches "*\\pwsh.exe" or Image matches "*\\cmd.exe" or Image matches "*\\python*.exe" or Image matches "*\\wscript.exe" or Image matches "*\\cscript.exe" or Image matches "*\\mshta.exe", SuspicionScore + 3, SuspicionScore)
| eval SuspicionScore = if(Image matches "*\\robocopy.exe" or Image matches "*\\xcopy.exe" or Image matches "*\\7z.exe" or Image matches "*\\winrar.exe" or Image matches "*\\rar.exe" or Image matches "*\\curl.exe" or Image matches "*\\wget.exe", SuspicionScore + 3, SuspicionScore)
| eval SuspicionScore = if(TargetFilename matches "*AppData*Outlook*" or TargetFilename matches "*AppData*Thunderbird*" or TargetFilename matches "*AppData*Windows Mail*", SuspicionScore + 2, SuspicionScore)
| eval SuspicionScore = if(TargetFilename matches "*.pst" or TargetFilename matches "*.ost", SuspicionScore + 1, SuspicionScore)
| where SuspicionScore > 0
| eval EmailFileType = if(TargetFilename matches "*.pst", "OutlookPST",
    if(TargetFilename matches "*.ost", "OutlookOST",
    if(TargetFilename matches "*.mbox", "MboxArchive",
    if(TargetFilename matches "*.msg", "OutlookMessage",
    if(TargetFilename matches "*.eml", "EmailFile", "OtherEmailFile")))))
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, EmailFileType, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Sysmon source Windows Event Log collector with Sysmon

Required Tables

_sourceCategory=*windows*sysmon*

False Positives

PST Capture tool or similar Microsoft-provided migration utilities that run as cmd.exe subprocesses when packaging PST files for archival
Security awareness training platforms running email phishing simulations that generate EML files in user profile directories
Corporate DLP agents built on scripting runtimes that scan outbound email attachments stored temporarily in AppData paths

Google Chronicle / SecOps

yaral

rule t1114_email_collection_local_and_remote {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1114 Email Collection: suspicious process access to local email data stores (PST/OST/MBOX/MSG/EML/DBX/NSF) by non-email-client processes including scripting engines, archival tools, and copy utilities"
    mitre_attack_technique = "T1114"
    mitre_attack_tactic = "Collection"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1114/"
    created = "2026-04-18"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    (
      $e.target.file.full_path = /(?i)\.pst$/ or
      $e.target.file.full_path = /(?i)\.ost$/ or
      $e.target.file.full_path = /(?i)\.mbox$/ or
      $e.target.file.full_path = /(?i)\.eml$/ or
      $e.target.file.full_path = /(?i)\.msg$/ or
      $e.target.file.full_path = /(?i)\.dbx$/ or
      $e.target.file.full_path = /(?i)\.nsf$/
    )
    not $e.principal.process.file.full_path = /(?i)(\\outlook\.exe|\\thunderbird\.exe|\\SearchIndexer\.exe|\\SearchProtocolHost\.exe|\\MsMpEng\.exe|\\MsSense\.exe|\\msedge\.exe)$/
    (
      $e.principal.process.file.full_path = /(?i)(\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe|\\python[23]?\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\robocopy\.exe|\\xcopy\.exe|\\7z\.exe|\\winrar\.exe|\\rar\.exe|\\curl\.exe|\\wget\.exe)$/ or
      $e.target.file.full_path = /(?i)AppData.*(Outlook|Thunderbird|Windows Mail)/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM - Endpoint file events Google Chronicle Sysmon ingestion CrowdStrike Falcon via Chronicle

Required Tables

File creation UDM events (metadata.event_type = FILE_CREATION)

False Positives

Automated IT provisioning scripts using robocopy to stage PST files for migration to Exchange Online or archive storage
SIEM or log collection agents running as python.exe that parse EML attachments from shared directories for content inspection
Forensic investigation tools used by internal security teams that access PST/OST files during incident response — coordinate with IR team for approved tool exclusions

CrowdStrike LogScale (CQL)

cql

// T1114 Email Collection - Local email data store access by suspicious processes
// Targets Falcon WriteFile and FileOpenInfo events for email file extensions
#event_simpleName = /^(WriteFile|PeFileWritten|SyntheticProcessRollup2)$/
| TargetFileName = /(?i)\.(pst|ost|mbox|eml|msg|dbx|nsf)$/
| ImageFileName != /(?i)(\\outlook\.exe|\\OUTLOOK\.EXE|\\thunderbird\.exe|\\SearchIndexer\.exe|\\SearchProtocolHost\.exe|\\MsMpEng\.exe|\\MsSense\.exe|\\msedge\.exe)$/
| SuspiciousTool := ImageFileName = /(?i)(\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe|\\python[23]?\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\robocopy\.exe|\\xcopy\.exe|\\7z\.exe|\\winrar\.exe|\\rar\.exe|\\curl\.exe|\\wget\.exe)$/
| EmailProfilePath := TargetFileName = /(?i)AppData.*(Outlook|Thunderbird|Windows.Mail)/
| where SuspiciousTool = true or EmailProfilePath = true
| EmailFileType := case(
    TargetFileName = /(?i)\.pst$/, "OutlookPST",
    TargetFileName = /(?i)\.ost$/, "OutlookOST",
    TargetFileName = /(?i)\.mbox$/, "MboxArchive",
    TargetFileName = /(?i)\.msg$/, "OutlookMessage",
    TargetFileName = /(?i)\.eml$/, "EmailFile",
    true, "OtherEmailFile")
| groupBy([ComputerName, UserName, ImageFileName, EmailFileType], function=[
    count(as=AccessCount),
    collect(TargetFileName, limit=10),
    collect(CommandLine, limit=5)
  ])
| sort(AccessCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR Falcon Data Replicator (FDR) Falcon SIEM Connector

Required Tables

#event_simpleName=WriteFile #event_simpleName=PeFileWritten #event_simpleName=SyntheticProcessRollup2

False Positives

PowerShell-based backup scripts sanctioned by IT that archive PST files to network shares or cloud storage on a scheduled basis
Python-based eDiscovery or compliance tooling that parses MSG/EML files for legal hold or data loss prevention classification
WinRAR or 7-Zip used legitimately by administrators to compress email archives for offboarding employees, which may appear identical to exfiltration staging

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1114 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Email Collection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Collection

Popular Detections