T1114.002 Remote Email Collection Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LookbackPeriod = 24h;
let BulkMailboxThreshold = 5;
let CollectionCmdlets = dynamic([
    "New-MailboxExportRequest", "Get-MailboxExportRequest", "Search-Mailbox",
    "New-ComplianceSearch", "Start-ComplianceSearch", "New-ComplianceSearchAction",
    "Get-ComplianceSearchAction", "Invoke-SelfSearch", "Invoke-GlobalMailSearch",
    "Get-GlobalAddressList", "Invoke-MailboxSearch", "New-MailboxSearch"
]);
let SuspiciousUserAgents = dynamic([
    "MailSniper", "python-requests", "python/", "Go-http-client",
    "curl/", "wget/", "Microsoft.Exchange.WebServices", "EWSEditor"
]);
// Branch 1: Exchange Admin audit — suspicious mailbox collection cmdlets
let ExchangeAdminCmdlets = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeAdmin"
| where Operation has_any (CollectionCmdlets)
| extend DetectionType = "Exchange Admin Cmdlet",
         DetectionDetail = strcat("Suspicious collection cmdlet: ", Operation)
| project TimeGenerated, UserId, ClientIP,
          ClientAgent = UserAgent, DetectionType, DetectionDetail,
          ExtraInfo = tostring(Parameters);
// Branch 2: Cross-mailbox bulk access anomaly (impersonation or delegate abuse)
let CrossMailboxBulk = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeItem"
| where Operation in ("MailboxLogin", "Create", "Move", "Send", "Copy")
| where isnotempty(MailboxOwnerUPN) and UserId != MailboxOwnerUPN
| summarize DistinctMailboxes = dcount(MailboxOwnerUPN),
            Ops = make_set(Operation, 5),
            FirstSeen = min(TimeGenerated)
    by UserId, ClientIP, bin(TimeGenerated, 1h)
| where DistinctMailboxes >= BulkMailboxThreshold
| extend DetectionType = "Bulk Cross-Mailbox Access",
         DetectionDetail = strcat("Single account accessed ", DistinctMailboxes, " distinct mailboxes in 1h window"),
         ClientAgent = ""
| project TimeGenerated = FirstSeen, UserId, ClientIP, ClientAgent,
          DetectionType, DetectionDetail, ExtraInfo = tostring(Ops);
// Branch 3: Suspicious EWS client (non-browser, scripted, or known tool user agent)
let SuspiciousEWSClient = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("ExchangeItem", "ExchangeItemGroup")
| where ClientInfoString has_any (SuspiciousUserAgents)
| extend DetectionType = "Suspicious EWS Client",
         DetectionDetail = strcat("Non-standard user agent via EWS: ", ClientInfoString)
| project TimeGenerated, UserId, ClientIP,
          ClientAgent = ClientInfoString, DetectionType, DetectionDetail,
          ExtraInfo = "";
// Branch 4: On-prem PowerShell Exchange collection cmdlets
let OnPremPSCollection = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName in~ ("powershell.exe", "pwsh.exe", "exshell.exe")
| where ProcessCommandLine has_any (CollectionCmdlets)
    or ProcessCommandLine has_any ("MailSniper", "Invoke-SelfSearch", "Invoke-GlobalMailSearch",
                                    "Microsoft.Exchange.WebServices", "EWSEditor",
                                    "Invoke-PasswordSprayOWA", "Get-GlobalAddressList")
| extend DetectionType = "On-Prem Exchange PowerShell Collection",
         DetectionDetail = "Exchange collection cmdlet or known email tool detected in PowerShell"
| project TimeGenerated = Timestamp, UserId = AccountName,
          ClientIP = DeviceName, ClientAgent = InitiatingProcessFileName,
          DetectionType, DetectionDetail, ExtraInfo = ProcessCommandLine;
// Union all detection branches
union ExchangeAdminCmdlets, CrossMailboxBulk, SuspiciousEWSClient, OnPremPSCollection
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Application Log: Application Log Content Cloud Service: Cloud Service Activity Network Traffic: Network Traffic Content Microsoft Defender for Endpoint — DeviceProcessEvents Office 365 — OfficeActivity (ExchangeAdmin, ExchangeItem)

Required Tables

OfficeActivity DeviceProcessEvents

False Positives

Compliance and eDiscovery teams running legitimate New-ComplianceSearch operations during legal holds or internal investigations — coordinate with legal/compliance team to whitelist known investigation accounts
Exchange administrators running Search-Mailbox or New-MailboxExportRequest for offboarding workflows, mailbox migrations, or backup operations — validate against change management tickets
Service accounts used by archiving solutions (Mimecast, Veritas, Barracuda) that legitimately access multiple mailboxes via EWS impersonation — these will trigger the cross-mailbox bulk access branch
Email security platforms (Proofpoint, Microsoft Defender for Office 365) using non-browser EWS user agents for retroactive threat hunting in mailboxes
Shared mailbox delegations where a single delegate legitimately manages many shared mailboxes (e.g., helpdesk, legal inbox)

Splunk

spl

index=o365 sourcetype="o365:management:activity" Workload=Exchange
| eval IsSuspiciousCmdlet=case(
    Operation IN ("New-MailboxExportRequest", "Get-MailboxExportRequest", "Search-Mailbox",
                  "New-ComplianceSearch", "Start-ComplianceSearch", "New-ComplianceSearchAction",
                  "Get-ComplianceSearchAction", "Invoke-MailboxSearch", "New-MailboxSearch"), 1,
    true(), 0)
| eval IsSuspiciousAgent=case(
    like(lower(ClientInfoString), "%mailsniper%"), 1,
    like(lower(ClientInfoString), "%python%"), 1,
    like(lower(ClientInfoString), "%go-http-client%"), 1,
    like(lower(ClientInfoString), "%curl/%"), 1,
    like(lower(ClientInfoString), "%wget%"), 1,
    like(lower(ClientInfoString), "%microsoft.exchange.webservices%"), 1,
    true(), 0)
| eval IsCrossMailboxAccess=if(Operation="MailboxLogin" AND UserId!=MailboxOwnerUPN, 1, 0)
| eval SuspicionScore=IsSuspiciousCmdlet + IsSuspiciousAgent + IsCrossMailboxAccess
| where SuspicionScore > 0
| eval DetectionType=case(
    IsSuspiciousCmdlet=1, "ExchangeCollectionCmdlet",
    IsSuspiciousAgent=1, "SuspiciousEWSClient",
    IsCrossMailboxAccess=1, "CrossMailboxAccess",
    true(), "Unknown")
| stats count as EventCount,
        dc(MailboxOwnerUPN) as DistinctMailboxes,
        values(Operation) as Operations,
        values(ClientIP) as ClientIPs,
        values(ClientInfoString) as UserAgents,
        max(SuspicionScore) as MaxScore,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen
    by UserId, DetectionType
| eval BulkAccess=if(DistinctMailboxes >= 5, 1, 0)
| where EventCount > 0
| eval RiskLevel=case(
    MaxScore >= 2 OR BulkAccess=1, "High",
    MaxScore=1 AND DetectionType="ExchangeCollectionCmdlet", "High",
    true(), "Medium")
| table FirstSeen, LastSeen, UserId, DetectionType, RiskLevel, EventCount,
         DistinctMailboxes, Operations, ClientIPs, UserAgents, MaxScore
| sort - MaxScore, - DistinctMailboxes

high severity high confidence

Data Sources

Cloud Service: Cloud Service Activity Application Log: Application Log Content Office 365 Management Activity API — Exchange workload

Required Sourcetypes

o365:management:activity

False Positives

Compliance and eDiscovery teams running legitimate New-ComplianceSearch during legal holds — validate against open legal hold cases
Exchange admins performing mailbox exports for offboarding or data migration — verify against IT change tickets
Third-party archiving solutions (Mimecast, Veritas, Barracuda) using EWS impersonation with non-browser user agents to access multiple mailboxes
Email security vendors performing retroactive threat hunting (Proofpoint TAP, Microsoft Defender for O365) using scripted EWS access
Helpdesk or operations teams with delegate access to multiple shared mailboxes triggering the cross-mailbox access threshold

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and
    event.type == "start" and
    process.name in~ ("powershell.exe", "pwsh.exe", "exshell.exe") and
    process.command_line regex~ "(?i)(New-MailboxExportRequest|Get-MailboxExportRequest|Search-Mailbox|New-ComplianceSearch|Start-ComplianceSearch|New-ComplianceSearchAction|Get-ComplianceSearchAction|Invoke-SelfSearch|Invoke-GlobalMailSearch|Get-GlobalAddressList|Invoke-MailboxSearch|New-MailboxSearch|MailSniper|Microsoft\\.Exchange\\.WebServices|EWSEditor|Invoke-PasswordSprayOWA)"
  ) or (
    event.category == "network" and
    event.type == "connection" and
    destination.port in (80, 443, 993, 995) and
    user_agent.original regex~ "(?i)(MailSniper|python-requests|python/[0-9]|Go-http-client|curl/[0-9]|wget/[0-9]|Microsoft\\.Exchange\\.WebServices|EWSEditor)"
  )

high severity high confidence

Data Sources

Elastic Agent endpoint process telemetry (logs-endpoint.events.process-*) Elastic Agent endpoint network telemetry (logs-endpoint.events.network-*) Winlogbeat Windows event logs

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Exchange administrators legitimately using New-ComplianceSearch or Search-Mailbox for authorized eDiscovery or legal hold workflows
Automated compliance or archiving tools using the Microsoft.Exchange.WebServices SDK with scripted HTTP clients for mailbox archiving
IT monitoring scripts using PowerShell Exchange cmdlets for mailbox capacity reporting or health checks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  username AS UserId,
  sourceip AS ClientIP,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS Category,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  CASE
    WHEN LOWER("Message") ILIKE '%new-mailboxexportrequest%'
      OR LOWER("Message") ILIKE '%get-mailboxexportrequest%'
      OR LOWER("Message") ILIKE '%search-mailbox%'
      OR LOWER("Message") ILIKE '%new-compliancesearch%'
      OR LOWER("Message") ILIKE '%start-compliancesearch%'
      OR LOWER("Message") ILIKE '%invoke-mailboxsearch%'
      OR LOWER("Message") ILIKE '%new-mailboxsearch%'
      OR LOWER("Message") ILIKE '%get-globaladdresslist%'
      OR LOWER("Message") ILIKE '%invoke-selfsearch%'
      OR LOWER("Message") ILIKE '%invoke-globalmailsearch%'
      THEN 'ExchangeCollectionCmdlet'
    WHEN LOWER("Message") ILIKE '%mailsniper%'
      OR LOWER("Message") ILIKE '%python-requests%'
      OR LOWER("Message") ILIKE '%go-http-client%'
      OR LOWER("Message") ILIKE '%ewseditor%'
      OR LOWER("Message") ILIKE '%microsoft.exchange.webservices%'
      THEN 'SuspiciousEWSClient'
    ELSE 'EmailCollectionAnomaly'
  END AS DetectionType,
  "Message"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Exchange',
    'Microsoft Office 365',
    'Microsoft Windows Security Event Log'
  )
  AND (
    LOWER("Message") ILIKE '%new-mailboxexportrequest%' OR
    LOWER("Message") ILIKE '%get-mailboxexportrequest%' OR
    LOWER("Message") ILIKE '%search-mailbox%' OR
    LOWER("Message") ILIKE '%new-compliancesearch%' OR
    LOWER("Message") ILIKE '%start-compliancesearch%' OR
    LOWER("Message") ILIKE '%new-compliancesearchaction%' OR
    LOWER("Message") ILIKE '%invoke-mailboxsearch%' OR
    LOWER("Message") ILIKE '%new-mailboxsearch%' OR
    LOWER("Message") ILIKE '%get-globaladdresslist%' OR
    LOWER("Message") ILIKE '%invoke-selfsearch%' OR
    LOWER("Message") ILIKE '%invoke-globalmailsearch%' OR
    LOWER("Message") ILIKE '%mailsniper%' OR
    LOWER("Message") ILIKE '%microsoft.exchange.webservices%' OR
    LOWER("Message") ILIKE '%ewseditor%' OR
    LOWER("Message") ILIKE '%invoke-passwordsprayowa%'
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Exchange log source Microsoft Office 365 Management Activity log source Microsoft Windows Security Event Log

Required Tables

events

False Positives

eDiscovery administrators running New-ComplianceSearch or Start-ComplianceSearch for legal hold or regulatory compliance workflows
Exchange migration tools using the Microsoft.Exchange.WebServices SDK during scheduled mailbox migration projects
Automated backup and archiving solutions querying Exchange via EWS with non-standard user agents

Sumo Logic CSE

sql

(_sourceCategory=*office365* OR _sourceCategory=*o365* OR _sourceCategory=*exchange*)
| json field=_raw "Operation" as Operation nodrop
| json field=_raw "UserId" as UserId nodrop
| json field=_raw "ClientIP" as ClientIP nodrop
| json field=_raw "ClientInfoString" as ClientInfoString nodrop
| json field=_raw "MailboxOwnerUPN" as MailboxOwnerUPN nodrop
| json field=_raw "Workload" as Workload nodrop
| where Workload = "Exchange"
| eval IsSuspiciousCmdlet = if(
    Operation in (
      "New-MailboxExportRequest", "Get-MailboxExportRequest", "Search-Mailbox",
      "New-ComplianceSearch", "Start-ComplianceSearch", "New-ComplianceSearchAction",
      "Get-ComplianceSearchAction", "Invoke-MailboxSearch", "New-MailboxSearch",
      "Get-GlobalAddressList", "Invoke-SelfSearch", "Invoke-GlobalMailSearch"
    ), 1, 0)
| eval LowAgent = toLowerCase(ClientInfoString)
| eval IsSuspiciousAgent = if(
    matches(LowAgent, ".*mailsniper.*") OR
    matches(LowAgent, ".*python.*") OR
    matches(LowAgent, ".*go-http-client.*") OR
    matches(LowAgent, ".*curl/.*") OR
    matches(LowAgent, ".*wget.*") OR
    matches(LowAgent, ".*microsoft.exchange.webservices.*") OR
    matches(LowAgent, ".*ewseditor.*"), 1, 0)
| where IsSuspiciousCmdlet = 1 OR IsSuspiciousAgent = 1
| eval DetectionType = if(IsSuspiciousCmdlet = 1, "ExchangeCollectionCmdlet", "SuspiciousEWSClient")
| eval RiskLevel = if(IsSuspiciousCmdlet = 1, "High", "Medium")
| stats
    count as EventCount,
    values(Operation) as Operations,
    values(ClientIP) as ClientIPs,
    values(ClientInfoString) as UserAgents,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
  by UserId, DetectionType, RiskLevel
| where EventCount > 0
| sort by EventCount desc

high severity high confidence

Data Sources

Office 365 Management Activity API via Sumo Logic O365 App Microsoft Exchange audit log source

Required Tables

O365 Management Activity source category

False Positives

Compliance and legal teams running Start-ComplianceSearch or New-ComplianceSearch for authorized eDiscovery
Exchange hybrid migration tooling using the EWS SDK with non-browser user agents during planned migrations
Third-party email security gateways or archiving solutions accessing mailboxes via EWS with scripted HTTP clients

Google Chronicle / SecOps

yaral

rule remote_email_collection_t1114_002 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects remote email collection via Exchange collection cmdlets or suspicious EWS tooling (T1114.002)"
    mitre_attack_technique = "T1114.002"
    mitre_attack_tactic = "Collection"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1114/002/"

  events:
    (
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path,
          `(?i)(powershell\.exe|pwsh\.exe|exshell\.exe)`) and
        re.regex($e.target.process.command_line,
          `(?i)(New-MailboxExportRequest|Get-MailboxExportRequest|Search-Mailbox|New-ComplianceSearch|Start-ComplianceSearch|New-ComplianceSearchAction|Get-ComplianceSearchAction|Invoke-SelfSearch|Invoke-GlobalMailSearch|Get-GlobalAddressList|Invoke-MailboxSearch|New-MailboxSearch|MailSniper|Microsoft\.Exchange\.WebServices|EWSEditor|Invoke-PasswordSprayOWA)`)
      ) or
      (
        $e.metadata.event_type = "NETWORK_HTTP" and
        re.regex($e.network.http.user_agent,
          `(?i)(MailSniper|python-requests|python/[0-9]|Go-http-client|curl/[0-9]|wget/|Microsoft\.Exchange\.WebServices|EWSEditor)`)
      ) or
      (
        $e.metadata.product_name = "Office 365" and
        $e.metadata.event_type = "USER_RESOURCE_ACCESS" and
        re.regex($e.metadata.description,
          `(?i)(New-MailboxExportRequest|Search-Mailbox|New-ComplianceSearch|Invoke-MailboxSearch|Get-GlobalAddressList|MailSniper|Invoke-SelfSearch|Invoke-GlobalMailSearch)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM endpoint events (PROCESS_LAUNCH) Chronicle UDM network HTTP events (NETWORK_HTTP) Chronicle Office 365 log ingestion (USER_RESOURCE_ACCESS)

Required Tables

UDM events: PROCESS_LAUNCH, NETWORK_HTTP, USER_RESOURCE_ACCESS

False Positives

Authorized eDiscovery workflows using compliance search cmdlets initiated by legal or compliance teams
Exchange Online migration tooling using EWS SDK with scripted HTTP clients during mail migration projects
Security monitoring tools that use Exchange Web Services to inspect email metadata for DLP or archiving purposes

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(powershell\.exe|pwsh\.exe|exshell\.exe)/
| CommandLine = /(?i)(New-MailboxExportRequest|Get-MailboxExportRequest|Search-Mailbox|New-ComplianceSearch|Start-ComplianceSearch|New-ComplianceSearchAction|Get-ComplianceSearchAction|Invoke-SelfSearch|Invoke-GlobalMailSearch|Get-GlobalAddressList|Invoke-MailboxSearch|New-MailboxSearch|MailSniper|Microsoft\.Exchange\.WebServices|EWSEditor|Invoke-PasswordSprayOWA)/
| eval DetectionType = "OnPremExchangeCollectionCmdlet"
| eval RiskLevel = "High"
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, DetectionType, RiskLevel],
    function=stats([
      count(aid, as=EventCount),
      min(_time, as=FirstSeen),
      max(_time, as=LastSeen)
    ])
  )
| sort(field=EventCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon endpoint sensor (ProcessRollup2) CrowdStrike Falcon network telemetry (NetworkConnectIP4) — for EWS user-agent detection

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Exchange administrators executing New-ComplianceSearch or Search-Mailbox for authorized eDiscovery or internal audit tasks
Automated mailbox management scripts using PowerShell Exchange cmdlets for capacity planning or hybrid migration workflows
Security teams running MailSniper or similar EWS tools as part of authorized red team or phishing simulation exercises with prior approval

Remote Email Collection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections