Detect Remote Email Collection in CrowdStrike LogScale
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1114 Email Collection
- Sub-technique
- T1114.002 Remote Email Collection
- Canonical reference
- https://attack.mitre.org/techniques/T1114/002/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName = /(?i)(powershell\.exe|pwsh\.exe|exshell\.exe)/
| CommandLine = /(?i)(New-MailboxExportRequest|Get-MailboxExportRequest|Search-Mailbox|New-ComplianceSearch|Start-ComplianceSearch|New-ComplianceSearchAction|Get-ComplianceSearchAction|Invoke-SelfSearch|Invoke-GlobalMailSearch|Get-GlobalAddressList|Invoke-MailboxSearch|New-MailboxSearch|MailSniper|Microsoft\.Exchange\.WebServices|EWSEditor|Invoke-PasswordSprayOWA)/
| eval DetectionType = "OnPremExchangeCollectionCmdlet"
| eval RiskLevel = "High"
| groupBy(
[ComputerName, UserName, FileName, CommandLine, DetectionType, RiskLevel],
function=stats([
count(aid, as=EventCount),
min(_time, as=FirstSeen),
max(_time, as=LastSeen)
])
)
| sort(field=EventCount, order=desc)Detects remote email collection via Exchange collection cmdlets executed through PowerShell on Windows endpoints. Identifies known collection tools including MailSniper, compliance search abuses, and EWS scripted access patterns using Falcon ProcessRollup2 telemetry. Aggregates by host and user to identify repeat collection activity.
Data Sources
Required Tables
False Positives & Tuning
- Exchange administrators executing New-ComplianceSearch or Search-Mailbox for authorized eDiscovery or internal audit tasks
- Automated mailbox management scripts using PowerShell Exchange cmdlets for capacity planning or hybrid migration workflows
- Security teams running MailSniper or similar EWS tools as part of authorized red team or phishing simulation exercises with prior approval
Other platforms for T1114.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MailSniper — Invoke-SelfSearch for Credential Keywords
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'MailSniper', 'Invoke-SelfSearch', and keyword terms. Sysmon Event ID 3: Network connection from powershell.exe to the Exchange server on port 443 (HTTPS/EWS). PowerShell ScriptBlock Log Event ID 4104 with full MailSniper invocation. On the Exchange side: IIS access logs will show EWS hits from the test workstation with a non-Outlook user agent.
- Test 2New-MailboxExportRequest — Export Mailbox to PST
Expected signal: Exchange Admin Audit Log: New-MailboxExportRequest entry with Mailbox, FilePath, and requester identity. Office 365 OfficeActivity RecordType=ExchangeAdmin, Operation=New-MailboxExportRequest. File creation on the target UNC path (Sysmon Event ID 11 on the destination host). PowerShell Event ID 4104 with full cmdlet invocation.
- Test 3EWS Direct Access via PowerShell (Microsoft.Exchange.WebServices)
Expected signal: Sysmon Event ID 7: Image Load for Microsoft.Exchange.WebServices.dll loaded by powershell.exe. Sysmon Event ID 3: Network connection from powershell.exe to Exchange server port 443. IIS logs on Exchange CAS showing EWS request from workstation with user agent 'ExchangeServicesClient/15.00.0000.000' or similar non-Outlook agent. PowerShell ScriptBlock Log Event ID 4104 with EWS API invocation.
- Test 4Remote OST File Access via UNC Path (Chimera Technique)
Expected signal: Sysmon Event ID 11: File Create at %TEMP%\stolen_email.ost. Sysmon Event ID 10 or Windows Security Event ID 4663 (if Object Access auditing is enabled): access to the .ost file in %LOCALAPPDATA%\Microsoft\Outlook. If performed remotely, SMB access events (Event ID 5140 — A network share object was accessed) for the C$ administrative share on the source host. PowerShell Event ID 4104 with file copy invocation.
References (12)
- https://attack.mitre.org/techniques/T1114/002/
- https://github.com/dafthack/MailSniper
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization
- https://learn.microsoft.com/en-us/exchange/recipients/mailbox-import-and-export/export-procedures
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.mandiant.com/resources/blog/apt29-microsoft-365-email-collection
- https://research.nccgroup.com/2021/01/12/abusing-exchange-one-api-call-away-from-domain-admin/
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md
- https://www.cisa.gov/sites/default/files/2023-12/aa23-347a_star-blizzard-advisory.pdf
Unlock Pro Content
Get the full detection package for T1114.002 including response playbook, investigation guide, and atomic red team tests.