Detect Local Email Collection in Microsoft Sentinel
Adversaries may target user email on local systems to collect sensitive information. Outlook stores email data in offline data files (.ost) and personal storage table files (.pst), typically located in C:\Users\<username>\AppData\Local\Microsoft\Outlook or C:\Users\<username>\Documents\Outlook Files. Threat actors access, copy, or exfiltrate these files to harvest credentials, reconnaissance data, business intelligence, or email threads for thread-hijacking phishing campaigns. Groups such as APT1, QakBot, Carbanak, and RedCurl have all employed this technique at scale.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1114 Email Collection
- Sub-technique
- T1114.001 Local Email Collection
- Canonical reference
- https://attack.mitre.org/techniques/T1114/001/
KQL Detection Query
let OutlookDataPaths = dynamic([
"\\AppData\\Local\\Microsoft\\Outlook\\",
"\\Documents\\Outlook Files\\"
]);
let TrustedOutlookProcesses = dynamic([
"outlook.exe", "msoia.exe", "ocpubmgr.exe", "olk.exe",
"searchindexer.exe", "searchprotocolhost.exe", "msosync.exe"
]);
let StagingPaths = dynamic([
"\\Windows\\Temp\\", "\\Temp\\", "\\Downloads\\",
"\\Public\\", "\\ProgramData\\", "\\AppData\\Roaming\\",
"\\Users\\Public\\"
]);
let SuspiciousCopyProcesses = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe",
"robocopy.exe", "wmic.exe", "forfiles.exe", "7z.exe",
"winrar.exe", "rar.exe", "zip.exe"
]);
// Branch 1: Non-Outlook processes accessing .pst/.ost files in Outlook directories
let SuspiciousOutlookAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".pst" or FileName endswith ".ost"
| where FolderPath has_any (OutlookDataPaths)
| where not (InitiatingProcessFileName in~ (TrustedOutlookProcesses))
| extend DetectionBranch = "NonOutlookProcessAccessingEmailStore"
| extend RiskScore = iff(InitiatingProcessFileName in~ (SuspiciousCopyProcesses), 3, 1);
// Branch 2: .pst/.ost files written or created outside Outlook directories (staging)
let EmailFileStagedElsewhere = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".pst" or FileName endswith ".ost"
| where ActionType in ("FileCreated", "FileRenamed")
| where not (FolderPath has_any (OutlookDataPaths))
| extend DetectionBranch = "EmailFileCreatedInStagingLocation"
| extend RiskScore = iff(FolderPath has_any (StagingPaths), 3, 2);
// Branch 3: Command-line copy operations explicitly targeting .pst/.ost paths
let CmdLinePstAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe", "wmic.exe")
| where ProcessCommandLine has ".pst" or ProcessCommandLine has ".ost"
| where ProcessCommandLine has_any ("copy ", "xcopy ", "robocopy ", "cp ", "move ", "Get-ChildItem", "gci ", "dir ", "ls ", "Compress", "Archive", "Invoke-WebRequest", "curl", "wmic")
| extend DetectionBranch = "CommandLinePstOstOperation"
| extend RiskScore = 2;
union SuspiciousOutlookAccess, EmailFileStagedElsewhere
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DetectionBranch, RiskScore
| sort by RiskScore desc, Timestamp descDetects local email collection activity targeting Outlook .pst and .ost data files. Uses DeviceFileEvents (MDE) across three detection branches: (1) non-Outlook processes accessing email store files in their default locations — catches tools like cmd.exe, PowerShell, and archivers opening Outlook data directly; (2) .pst/.ost files appearing in non-standard locations such as Windows Temp or ProgramData — catches staging prior to exfiltration; (3) explicit command-line operations referencing .pst/.ost paths in copy/archive/transfer tools. A RiskScore field helps prioritize: score 3 for known staging patterns, 2 for medium-confidence, 1 for lower-confidence process access.
Data Sources
Required Tables
False Positives & Tuning
- Backup agents (Veeam, Acronis, Windows Backup, Azure Backup) that enumerate and copy user profile data including Outlook stores — these typically run under service accounts with known parent processes
- IT migration tools (BitTitan MigrationWiz, PST Capture Tool, Barracuda PST Enterprise) used during Exchange Online migrations to collect and import PST files
- Antivirus and DLP scanning engines that access .pst/.ost files for content inspection — notably Symantec DLP, Forcepoint, and Microsoft Purview
- Third-party Outlook add-ins or backup utilities (e.g., MailStore, Mailbird, Stellar OST to PST Converter) that legitimately access offline email stores
- SearchIndexer.exe or SearchProtocolHost.exe Windows Search indexing — already excluded in TrustedOutlookProcesses but may appear under alternate process names
Other platforms for T1114.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy Outlook OST File to Windows Temp (cmd.exe)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing '.ost' and 'copy'. Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\staged_email.ost, Image=cmd.exe. Security Event ID 4688 (if process command line auditing enabled) with same details. Security Event ID 4663 (if object access auditing enabled on Outlook directory) showing read access by cmd.exe.
- Test 2Enumerate and Copy PST Files with PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '.pst', and 'Copy-Item'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\dftest_email_staged.pst, Image=powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing full script. Security Event ID 4688 for the PowerShell process.
- Test 3WMIC Remote Process PST Copy (Chimera APT Pattern)
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process call create' and '.ost'. Secondary Sysmon Event ID 1 for the spawned cmd.exe with the copy command. Sysmon Event ID 11 for the created file in Temp. Security Event ID 4688 for both wmic.exe and cmd.exe child process. Sysmon Event ID 3 (Network Connection) for wmic WMI connection to localhost.
- Test 4Archive Outlook Data Files for Exfiltration Preparation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Compress-Archive' and '.pst'. Sysmon Event ID 11: File Create events for both the dummy .pst and the resulting .zip archive in Temp. PowerShell ScriptBlock Log Event ID 4104 with full script. File Create event for the archive file may also trigger DLP rules if archive-in-staging detection is enabled.
References (9)
- https://attack.mitre.org/techniques/T1114/001/
- https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
- https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/
- https://www.mandiant.com/resources/blog/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
- https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-growing-threat
- https://www.group-ib.com/resources/threat-research/red-curl.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
Unlock Pro Content
Get the full detection package for T1114.001 including response playbook, investigation guide, and atomic red team tests.