T1114.002 Elastic Security · Elastic

Detect Remote Email Collection in Elastic Security

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

MITRE ATT&CK

Tactic
Collection
Technique
T1114 Email Collection
Sub-technique
T1114.002 Remote Email Collection
Canonical reference
https://attack.mitre.org/techniques/T1114/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "process" and
    event.type == "start" and
    process.name in~ ("powershell.exe", "pwsh.exe", "exshell.exe") and
    process.command_line regex~ "(?i)(New-MailboxExportRequest|Get-MailboxExportRequest|Search-Mailbox|New-ComplianceSearch|Start-ComplianceSearch|New-ComplianceSearchAction|Get-ComplianceSearchAction|Invoke-SelfSearch|Invoke-GlobalMailSearch|Get-GlobalAddressList|Invoke-MailboxSearch|New-MailboxSearch|MailSniper|Microsoft\\.Exchange\\.WebServices|EWSEditor|Invoke-PasswordSprayOWA)"
  ) or (
    event.category == "network" and
    event.type == "connection" and
    destination.port in (80, 443, 993, 995) and
    user_agent.original regex~ "(?i)(MailSniper|python-requests|python/[0-9]|Go-http-client|curl/[0-9]|wget/[0-9]|Microsoft\\.Exchange\\.WebServices|EWSEditor)"
  )
high severity high confidence

Detects remote email collection targeting Exchange/O365 via suspicious PowerShell cmdlets (MailSniper, Search-Mailbox, compliance search abuse) or non-standard EWS HTTP clients. Covers both on-prem PowerShell execution of collection tools and network-layer scripted EWS access patterns consistent with T1114.002.

Data Sources

Elastic Agent endpoint process telemetry (logs-endpoint.events.process-*)Elastic Agent endpoint network telemetry (logs-endpoint.events.network-*)Winlogbeat Windows event logs

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*winlogbeat-*

False Positives & Tuning

  • Exchange administrators legitimately using New-ComplianceSearch or Search-Mailbox for authorized eDiscovery or legal hold workflows
  • Automated compliance or archiving tools using the Microsoft.Exchange.WebServices SDK with scripted HTTP clients for mailbox archiving
  • IT monitoring scripts using PowerShell Exchange cmdlets for mailbox capacity reporting or health checks
Download portable Sigma rule (.yml)

Other platforms for T1114.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MailSniper — Invoke-SelfSearch for Credential Keywords

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'MailSniper', 'Invoke-SelfSearch', and keyword terms. Sysmon Event ID 3: Network connection from powershell.exe to the Exchange server on port 443 (HTTPS/EWS). PowerShell ScriptBlock Log Event ID 4104 with full MailSniper invocation. On the Exchange side: IIS access logs will show EWS hits from the test workstation with a non-Outlook user agent.

  2. Test 2New-MailboxExportRequest — Export Mailbox to PST

    Expected signal: Exchange Admin Audit Log: New-MailboxExportRequest entry with Mailbox, FilePath, and requester identity. Office 365 OfficeActivity RecordType=ExchangeAdmin, Operation=New-MailboxExportRequest. File creation on the target UNC path (Sysmon Event ID 11 on the destination host). PowerShell Event ID 4104 with full cmdlet invocation.

  3. Test 3EWS Direct Access via PowerShell (Microsoft.Exchange.WebServices)

    Expected signal: Sysmon Event ID 7: Image Load for Microsoft.Exchange.WebServices.dll loaded by powershell.exe. Sysmon Event ID 3: Network connection from powershell.exe to Exchange server port 443. IIS logs on Exchange CAS showing EWS request from workstation with user agent 'ExchangeServicesClient/15.00.0000.000' or similar non-Outlook agent. PowerShell ScriptBlock Log Event ID 4104 with EWS API invocation.

  4. Test 4Remote OST File Access via UNC Path (Chimera Technique)

    Expected signal: Sysmon Event ID 11: File Create at %TEMP%\stolen_email.ost. Sysmon Event ID 10 or Windows Security Event ID 4663 (if Object Access auditing is enabled): access to the .ost file in %LOCALAPPDATA%\Microsoft\Outlook. If performed remotely, SMB access events (Event ID 5140 — A network share object was accessed) for the C$ administrative share on the source host. PowerShell Event ID 4104 with file copy invocation.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1114.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1114Email Collection

Related Sub-techniques

T1114.001Local Email CollectionT1114.003Email Forwarding Rule

Related Techniques

T1114Email CollectionT1114.001Local Email CollectionT1114.003Email Forwarding RuleT1078Valid AccountsT1078.004Cloud AccountsT1190Exploit Public-Facing ApplicationT1530Data from Cloud StorageT1048Exfiltration Over Alternative ProtocolT1560Archive Collected DataT1550.001Application Access Token

Same Tactic: Collection

Popular Detections