Which SIEM platforms have a T1114.002 detection rule?

df00tech provides T1114.002 (Remote Email Collection) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Remote Email Collection (T1114.002)?

Detecting Remote Email Collection requires the following data sources: Application Log: Application Log Content, Cloud Service: Cloud Service Activity, Network Traffic: Network Traffic Content, Microsoft Defender for Endpoint — DeviceProcessEvents, Office 365 — OfficeActivity (ExchangeAdmin, ExchangeItem).

What severity and confidence is the T1114.002 detection?

The T1114.002 detection is rated high severity with high confidence.

What are common false positives for T1114.002?

Common false positives for T1114.002 include: Compliance and eDiscovery teams running legitimate New-ComplianceSearch operations during legal holds or internal investigations — coordinate with legal/compliance team to whitelist known investigation accounts; Exchange administrators running Search-Mailbox or New-MailboxExportRequest for offboarding workflows, mailbox migrations, or backup operations — validate against change management tickets; Service accounts used by archiving solutions (Mimecast, Veritas, Barracuda) that legitimately access multiple mailboxes via EWS impersonation — these will trigger the cross-mailbox bulk access branch.

T1114.002 Google Chronicle · YARA-L

Detect Remote Email Collection in Google Chronicle

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

MITRE ATT&CK

Tactic: Collection
Technique: T1114 Email Collection
Sub-technique: T1114.002 Remote Email Collection
Canonical reference: https://attack.mitre.org/techniques/T1114/002/

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule remote_email_collection_t1114_002 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects remote email collection via Exchange collection cmdlets or suspicious EWS tooling (T1114.002)"
    mitre_attack_technique = "T1114.002"
    mitre_attack_tactic = "Collection"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1114/002/"

  events:
    (
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path,
          `(?i)(powershell\.exe|pwsh\.exe|exshell\.exe)`) and
        re.regex($e.target.process.command_line,
          `(?i)(New-MailboxExportRequest|Get-MailboxExportRequest|Search-Mailbox|New-ComplianceSearch|Start-ComplianceSearch|New-ComplianceSearchAction|Get-ComplianceSearchAction|Invoke-SelfSearch|Invoke-GlobalMailSearch|Get-GlobalAddressList|Invoke-MailboxSearch|New-MailboxSearch|MailSniper|Microsoft\.Exchange\.WebServices|EWSEditor|Invoke-PasswordSprayOWA)`)
      ) or
      (
        $e.metadata.event_type = "NETWORK_HTTP" and
        re.regex($e.network.http.user_agent,
          `(?i)(MailSniper|python-requests|python/[0-9]|Go-http-client|curl/[0-9]|wget/|Microsoft\.Exchange\.WebServices|EWSEditor)`)
      ) or
      (
        $e.metadata.product_name = "Office 365" and
        $e.metadata.event_type = "USER_RESOURCE_ACCESS" and
        re.regex($e.metadata.description,
          `(?i)(New-MailboxExportRequest|Search-Mailbox|New-ComplianceSearch|Invoke-MailboxSearch|Get-GlobalAddressList|MailSniper|Invoke-SelfSearch|Invoke-GlobalMailSearch)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Detects remote email collection (T1114.002) across three telemetry branches in Chronicle UDM: PowerShell execution of Exchange collection cmdlets on endpoints, suspicious EWS HTTP client user agents at the network layer, and Office 365 audit events capturing known collection operations. Uses re.regex for flexible pattern matching across all branches.

Data Sources

Chronicle UDM endpoint events (PROCESS_LAUNCH)Chronicle UDM network HTTP events (NETWORK_HTTP)Chronicle Office 365 log ingestion (USER_RESOURCE_ACCESS)

Required Tables

UDM events: PROCESS_LAUNCH, NETWORK_HTTP, USER_RESOURCE_ACCESS

False Positives & Tuning

Authorized eDiscovery workflows using compliance search cmdlets initiated by legal or compliance teams
Exchange Online migration tooling using EWS SDK with scripted HTTP clients during mail migration projects
Security monitoring tools that use Exchange Web Services to inspect email metadata for DLP or archiving purposes

Download portable Sigma rule (.yml)

Other platforms for T1114.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1MailSniper — Invoke-SelfSearch for Credential Keywords
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'MailSniper', 'Invoke-SelfSearch', and keyword terms. Sysmon Event ID 3: Network connection from powershell.exe to the Exchange server on port 443 (HTTPS/EWS). PowerShell ScriptBlock Log Event ID 4104 with full MailSniper invocation. On the Exchange side: IIS access logs will show EWS hits from the test workstation with a non-Outlook user agent.
Test 2New-MailboxExportRequest — Export Mailbox to PST
Expected signal: Exchange Admin Audit Log: New-MailboxExportRequest entry with Mailbox, FilePath, and requester identity. Office 365 OfficeActivity RecordType=ExchangeAdmin, Operation=New-MailboxExportRequest. File creation on the target UNC path (Sysmon Event ID 11 on the destination host). PowerShell Event ID 4104 with full cmdlet invocation.
Test 3EWS Direct Access via PowerShell (Microsoft.Exchange.WebServices)
Expected signal: Sysmon Event ID 7: Image Load for Microsoft.Exchange.WebServices.dll loaded by powershell.exe. Sysmon Event ID 3: Network connection from powershell.exe to Exchange server port 443. IIS logs on Exchange CAS showing EWS request from workstation with user agent 'ExchangeServicesClient/15.00.0000.000' or similar non-Outlook agent. PowerShell ScriptBlock Log Event ID 4104 with EWS API invocation.
Test 4Remote OST File Access via UNC Path (Chimera Technique)
Expected signal: Sysmon Event ID 11: File Create at %TEMP%\stolen_email.ost. Sysmon Event ID 10 or Windows Security Event ID 4663 (if Object Access auditing is enabled): access to the .ost file in %LOCALAPPDATA%\Microsoft\Outlook. If performed remotely, SMB access events (Event ID 5140 — A network share object was accessed) for the C$ administrative share on the source host. PowerShell Event ID 4104 with file copy invocation.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1114.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Remote Email Collection in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1114.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1114.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox