Detect Remote Email Collection in Microsoft Sentinel
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1114 Email Collection
- Sub-technique
- T1114.002 Remote Email Collection
- Canonical reference
- https://attack.mitre.org/techniques/T1114/002/
KQL Detection Query
let LookbackPeriod = 24h;
let BulkMailboxThreshold = 5;
let CollectionCmdlets = dynamic([
"New-MailboxExportRequest", "Get-MailboxExportRequest", "Search-Mailbox",
"New-ComplianceSearch", "Start-ComplianceSearch", "New-ComplianceSearchAction",
"Get-ComplianceSearchAction", "Invoke-SelfSearch", "Invoke-GlobalMailSearch",
"Get-GlobalAddressList", "Invoke-MailboxSearch", "New-MailboxSearch"
]);
let SuspiciousUserAgents = dynamic([
"MailSniper", "python-requests", "python/", "Go-http-client",
"curl/", "wget/", "Microsoft.Exchange.WebServices", "EWSEditor"
]);
// Branch 1: Exchange Admin audit — suspicious mailbox collection cmdlets
let ExchangeAdminCmdlets = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeAdmin"
| where Operation has_any (CollectionCmdlets)
| extend DetectionType = "Exchange Admin Cmdlet",
DetectionDetail = strcat("Suspicious collection cmdlet: ", Operation)
| project TimeGenerated, UserId, ClientIP,
ClientAgent = UserAgent, DetectionType, DetectionDetail,
ExtraInfo = tostring(Parameters);
// Branch 2: Cross-mailbox bulk access anomaly (impersonation or delegate abuse)
let CrossMailboxBulk = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeItem"
| where Operation in ("MailboxLogin", "Create", "Move", "Send", "Copy")
| where isnotempty(MailboxOwnerUPN) and UserId != MailboxOwnerUPN
| summarize DistinctMailboxes = dcount(MailboxOwnerUPN),
Ops = make_set(Operation, 5),
FirstSeen = min(TimeGenerated)
by UserId, ClientIP, bin(TimeGenerated, 1h)
| where DistinctMailboxes >= BulkMailboxThreshold
| extend DetectionType = "Bulk Cross-Mailbox Access",
DetectionDetail = strcat("Single account accessed ", DistinctMailboxes, " distinct mailboxes in 1h window"),
ClientAgent = ""
| project TimeGenerated = FirstSeen, UserId, ClientIP, ClientAgent,
DetectionType, DetectionDetail, ExtraInfo = tostring(Ops);
// Branch 3: Suspicious EWS client (non-browser, scripted, or known tool user agent)
let SuspiciousEWSClient = OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("ExchangeItem", "ExchangeItemGroup")
| where ClientInfoString has_any (SuspiciousUserAgents)
| extend DetectionType = "Suspicious EWS Client",
DetectionDetail = strcat("Non-standard user agent via EWS: ", ClientInfoString)
| project TimeGenerated, UserId, ClientIP,
ClientAgent = ClientInfoString, DetectionType, DetectionDetail,
ExtraInfo = "";
// Branch 4: On-prem PowerShell Exchange collection cmdlets
let OnPremPSCollection = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName in~ ("powershell.exe", "pwsh.exe", "exshell.exe")
| where ProcessCommandLine has_any (CollectionCmdlets)
or ProcessCommandLine has_any ("MailSniper", "Invoke-SelfSearch", "Invoke-GlobalMailSearch",
"Microsoft.Exchange.WebServices", "EWSEditor",
"Invoke-PasswordSprayOWA", "Get-GlobalAddressList")
| extend DetectionType = "On-Prem Exchange PowerShell Collection",
DetectionDetail = "Exchange collection cmdlet or known email tool detected in PowerShell"
| project TimeGenerated = Timestamp, UserId = AccountName,
ClientIP = DeviceName, ClientAgent = InitiatingProcessFileName,
DetectionType, DetectionDetail, ExtraInfo = ProcessCommandLine;
// Union all detection branches
union ExchangeAdminCmdlets, CrossMailboxBulk, SuspiciousEWSClient, OnPremPSCollection
| sort by TimeGenerated descMulti-branch detection covering remote email collection across Office 365 and on-premises Exchange environments. Branch 1 detects Exchange Admin audit log entries for known collection cmdlets (New-MailboxExportRequest, Search-Mailbox, compliance search operations). Branch 2 identifies bulk cross-mailbox access anomalies where a single account accesses 5+ distinct mailboxes within an hour — a key indicator of impersonation or EWS-based collection. Branch 3 flags non-standard EWS client user agents consistent with scripted tools like MailSniper, Python clients, or Go HTTP clients. Branch 4 catches on-premises PowerShell-based collection using Exchange cmdlets or known tool keywords.
Data Sources
Required Tables
False Positives & Tuning
- Compliance and eDiscovery teams running legitimate New-ComplianceSearch operations during legal holds or internal investigations — coordinate with legal/compliance team to whitelist known investigation accounts
- Exchange administrators running Search-Mailbox or New-MailboxExportRequest for offboarding workflows, mailbox migrations, or backup operations — validate against change management tickets
- Service accounts used by archiving solutions (Mimecast, Veritas, Barracuda) that legitimately access multiple mailboxes via EWS impersonation — these will trigger the cross-mailbox bulk access branch
- Email security platforms (Proofpoint, Microsoft Defender for Office 365) using non-browser EWS user agents for retroactive threat hunting in mailboxes
- Shared mailbox delegations where a single delegate legitimately manages many shared mailboxes (e.g., helpdesk, legal inbox)
Other platforms for T1114.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MailSniper — Invoke-SelfSearch for Credential Keywords
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'MailSniper', 'Invoke-SelfSearch', and keyword terms. Sysmon Event ID 3: Network connection from powershell.exe to the Exchange server on port 443 (HTTPS/EWS). PowerShell ScriptBlock Log Event ID 4104 with full MailSniper invocation. On the Exchange side: IIS access logs will show EWS hits from the test workstation with a non-Outlook user agent.
- Test 2New-MailboxExportRequest — Export Mailbox to PST
Expected signal: Exchange Admin Audit Log: New-MailboxExportRequest entry with Mailbox, FilePath, and requester identity. Office 365 OfficeActivity RecordType=ExchangeAdmin, Operation=New-MailboxExportRequest. File creation on the target UNC path (Sysmon Event ID 11 on the destination host). PowerShell Event ID 4104 with full cmdlet invocation.
- Test 3EWS Direct Access via PowerShell (Microsoft.Exchange.WebServices)
Expected signal: Sysmon Event ID 7: Image Load for Microsoft.Exchange.WebServices.dll loaded by powershell.exe. Sysmon Event ID 3: Network connection from powershell.exe to Exchange server port 443. IIS logs on Exchange CAS showing EWS request from workstation with user agent 'ExchangeServicesClient/15.00.0000.000' or similar non-Outlook agent. PowerShell ScriptBlock Log Event ID 4104 with EWS API invocation.
- Test 4Remote OST File Access via UNC Path (Chimera Technique)
Expected signal: Sysmon Event ID 11: File Create at %TEMP%\stolen_email.ost. Sysmon Event ID 10 or Windows Security Event ID 4663 (if Object Access auditing is enabled): access to the .ost file in %LOCALAPPDATA%\Microsoft\Outlook. If performed remotely, SMB access events (Event ID 5140 — A network share object was accessed) for the C$ administrative share on the source host. PowerShell Event ID 4104 with file copy invocation.
References (12)
- https://attack.mitre.org/techniques/T1114/002/
- https://github.com/dafthack/MailSniper
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization
- https://learn.microsoft.com/en-us/exchange/recipients/mailbox-import-and-export/export-procedures
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.mandiant.com/resources/blog/apt29-microsoft-365-email-collection
- https://research.nccgroup.com/2021/01/12/abusing-exchange-one-api-call-away-from-domain-admin/
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md
- https://www.cisa.gov/sites/default/files/2023-12/aa23-347a_star-blizzard-advisory.pdf
Unlock Pro Content
Get the full detection package for T1114.002 including response playbook, investigation guide, and atomic red team tests.