Detect Local Email Collection in Sumo Logic CSE
Adversaries may target user email on local systems to collect sensitive information. Outlook stores email data in offline data files (.ost) and personal storage table files (.pst), typically located in C:\Users\<username>\AppData\Local\Microsoft\Outlook or C:\Users\<username>\Documents\Outlook Files. Threat actors access, copy, or exfiltrate these files to harvest credentials, reconnaissance data, business intelligence, or email threads for thread-hijacking phishing campaigns. Groups such as APT1, QakBot, Carbanak, and RedCurl have all employed this technique at scale.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1114 Email Collection
- Sub-technique
- T1114.001 Local Email Collection
- Canonical reference
- https://attack.mitre.org/techniques/T1114/001/
Sumo Detection Query
_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon"
| json auto
| where EventID in ("1", "11")
| parse field=TargetFilename "*" as target_filename nodrop
| parse field=Image "*" as process_image nodrop
| parse field=ParentImage "*" as parent_image nodrop
| parse field=CommandLine "*" as command_line nodrop
| where (EventID == "11" and (target_filename matches "*.pst" or target_filename matches "*.ost"))
OR (EventID == "1" and (toLowerCase(command_line) matches "*.pst*" or toLowerCase(command_line) matches "*.ost*")
and toLowerCase(process_image) matches "*(cmd.exe|powershell.exe|pwsh.exe|xcopy.exe|robocopy.exe|wmic.exe|forfiles.exe)*")
| eval is_outlook_path = if(matches(toLowerCase(target_filename), "*(appdata\\local\\microsoft\\outlook|documents\\outlook files)*"), 1, 0)
| eval is_staging_path = if(matches(toLowerCase(target_filename), "*(\\windows\\temp|\\temp\\|\\downloads\\|\\public\\|\\programdata\\|\\appdata\\roaming\\|\\users\\public\\)*"), 1, 0)
| eval is_trusted_outlook_proc = if(matches(toLowerCase(process_image), "*(outlook.exe|searchindexer.exe|searchprotocolhost.exe|msosync.exe|ocpubmgr.exe|msoia.exe|olk.exe)*"), 1, 0)
| eval is_copy_operation = if(matches(toLowerCase(command_line), "*(xcopy|robocopy|compress-archive|invoke-webrequest|\bcopy\b|wmic.*call.*create)*"), 1, 0)
| eval detection_branch = if(EventID == "11" and is_outlook_path == 1 and is_trusted_outlook_proc == 0, "NonOutlookProcessAccessingEmailStore",
if(EventID == "11" and is_outlook_path == 0 and is_staging_path == 1, "EmailFileStagedInSuspiciousLocation",
if(EventID == "1" and is_copy_operation == 1, "CommandLinePstCopyOperation",
if(EventID == "1", "CommandLineReferencingEmailStore", "Other"))))
| where detection_branch != "Other"
| eval risk_score = if(is_staging_path == 1 and is_trusted_outlook_proc == 0, 3,
if(is_copy_operation == 1, 3,
if(detection_branch == "NonOutlookProcessAccessingEmailStore", 2, 1)))
| fields _messagetime, Computer, User, EventID, process_image, parent_image,
command_line, target_filename, detection_branch, risk_score,
is_outlook_path, is_staging_path, is_trusted_outlook_proc
| sort by risk_score desc, _messagetime descSumo Logic query detecting T1114.001 Local Email Collection by monitoring Sysmon events for PST/OST file access and staging. Three detection branches cover non-Outlook process access to Outlook directories, PST/OST file staging in suspicious locations (Temp, Downloads, Public), and command-line operations with copy/exfiltration verbs referencing email store file extensions.
Data Sources
Required Tables
False Positives & Tuning
- Automated PST export tools used by legal or HR during e-discovery or termination workflows — these will generate high-risk scores when run from cmd.exe or PowerShell; coordinate with legal holds tracker
- macOS/iOS device management sync agents or backup clients on Windows endpoints that access Outlook data during sync operations — verify process digital signature and publisher in process_image field
- IT helpdesk remote assistance sessions where technicians use robocopy or xcopy to recover corrupted PST files on behalf of users — will appear identical to malicious staging; correlate with open helpdesk tickets
Other platforms for T1114.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy Outlook OST File to Windows Temp (cmd.exe)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing '.ost' and 'copy'. Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\staged_email.ost, Image=cmd.exe. Security Event ID 4688 (if process command line auditing enabled) with same details. Security Event ID 4663 (if object access auditing enabled on Outlook directory) showing read access by cmd.exe.
- Test 2Enumerate and Copy PST Files with PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '.pst', and 'Copy-Item'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\dftest_email_staged.pst, Image=powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing full script. Security Event ID 4688 for the PowerShell process.
- Test 3WMIC Remote Process PST Copy (Chimera APT Pattern)
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process call create' and '.ost'. Secondary Sysmon Event ID 1 for the spawned cmd.exe with the copy command. Sysmon Event ID 11 for the created file in Temp. Security Event ID 4688 for both wmic.exe and cmd.exe child process. Sysmon Event ID 3 (Network Connection) for wmic WMI connection to localhost.
- Test 4Archive Outlook Data Files for Exfiltration Preparation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Compress-Archive' and '.pst'. Sysmon Event ID 11: File Create events for both the dummy .pst and the resulting .zip archive in Temp. PowerShell ScriptBlock Log Event ID 4104 with full script. File Create event for the archive file may also trigger DLP rules if archive-in-staging detection is enabled.
References (9)
- https://attack.mitre.org/techniques/T1114/001/
- https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
- https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/
- https://www.mandiant.com/resources/blog/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
- https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-growing-threat
- https://www.group-ib.com/resources/threat-research/red-curl.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
Unlock Pro Content
Get the full detection package for T1114.001 including response playbook, investigation guide, and atomic red team tests.