Detect Remote Email Collection in Splunk
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1114 Email Collection
- Sub-technique
- T1114.002 Remote Email Collection
- Canonical reference
- https://attack.mitre.org/techniques/T1114/002/
SPL Detection Query
index=o365 sourcetype="o365:management:activity" Workload=Exchange
| eval IsSuspiciousCmdlet=case(
Operation IN ("New-MailboxExportRequest", "Get-MailboxExportRequest", "Search-Mailbox",
"New-ComplianceSearch", "Start-ComplianceSearch", "New-ComplianceSearchAction",
"Get-ComplianceSearchAction", "Invoke-MailboxSearch", "New-MailboxSearch"), 1,
true(), 0)
| eval IsSuspiciousAgent=case(
like(lower(ClientInfoString), "%mailsniper%"), 1,
like(lower(ClientInfoString), "%python%"), 1,
like(lower(ClientInfoString), "%go-http-client%"), 1,
like(lower(ClientInfoString), "%curl/%"), 1,
like(lower(ClientInfoString), "%wget%"), 1,
like(lower(ClientInfoString), "%microsoft.exchange.webservices%"), 1,
true(), 0)
| eval IsCrossMailboxAccess=if(Operation="MailboxLogin" AND UserId!=MailboxOwnerUPN, 1, 0)
| eval SuspicionScore=IsSuspiciousCmdlet + IsSuspiciousAgent + IsCrossMailboxAccess
| where SuspicionScore > 0
| eval DetectionType=case(
IsSuspiciousCmdlet=1, "ExchangeCollectionCmdlet",
IsSuspiciousAgent=1, "SuspiciousEWSClient",
IsCrossMailboxAccess=1, "CrossMailboxAccess",
true(), "Unknown")
| stats count as EventCount,
dc(MailboxOwnerUPN) as DistinctMailboxes,
values(Operation) as Operations,
values(ClientIP) as ClientIPs,
values(ClientInfoString) as UserAgents,
max(SuspicionScore) as MaxScore,
earliest(_time) as FirstSeen,
latest(_time) as LastSeen
by UserId, DetectionType
| eval BulkAccess=if(DistinctMailboxes >= 5, 1, 0)
| where EventCount > 0
| eval RiskLevel=case(
MaxScore >= 2 OR BulkAccess=1, "High",
MaxScore=1 AND DetectionType="ExchangeCollectionCmdlet", "High",
true(), "Medium")
| table FirstSeen, LastSeen, UserId, DetectionType, RiskLevel, EventCount,
DistinctMailboxes, Operations, ClientIPs, UserAgents, MaxScore
| sort - MaxScore, - DistinctMailboxesDetects remote email collection activity across Office 365 Exchange audit logs. Evaluates three parallel signals: (1) Exchange collection cmdlets (New-MailboxExportRequest, Search-Mailbox, compliance search operations) indicating administrative mailbox export or keyword searching; (2) non-standard EWS user agents associated with known collection tools (MailSniper, Python clients, Go HTTP clients); (3) cross-mailbox access where the acting UserId differs from MailboxOwnerUPN. Aggregates by user and detection type, surfacing accounts accessing 5+ distinct mailboxes or triggering multiple signals. A RiskLevel of High is assigned to cmdlet-based collection or bulk access patterns.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Compliance and eDiscovery teams running legitimate New-ComplianceSearch during legal holds — validate against open legal hold cases
- Exchange admins performing mailbox exports for offboarding or data migration — verify against IT change tickets
- Third-party archiving solutions (Mimecast, Veritas, Barracuda) using EWS impersonation with non-browser user agents to access multiple mailboxes
- Email security vendors performing retroactive threat hunting (Proofpoint TAP, Microsoft Defender for O365) using scripted EWS access
- Helpdesk or operations teams with delegate access to multiple shared mailboxes triggering the cross-mailbox access threshold
Other platforms for T1114.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MailSniper — Invoke-SelfSearch for Credential Keywords
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'MailSniper', 'Invoke-SelfSearch', and keyword terms. Sysmon Event ID 3: Network connection from powershell.exe to the Exchange server on port 443 (HTTPS/EWS). PowerShell ScriptBlock Log Event ID 4104 with full MailSniper invocation. On the Exchange side: IIS access logs will show EWS hits from the test workstation with a non-Outlook user agent.
- Test 2New-MailboxExportRequest — Export Mailbox to PST
Expected signal: Exchange Admin Audit Log: New-MailboxExportRequest entry with Mailbox, FilePath, and requester identity. Office 365 OfficeActivity RecordType=ExchangeAdmin, Operation=New-MailboxExportRequest. File creation on the target UNC path (Sysmon Event ID 11 on the destination host). PowerShell Event ID 4104 with full cmdlet invocation.
- Test 3EWS Direct Access via PowerShell (Microsoft.Exchange.WebServices)
Expected signal: Sysmon Event ID 7: Image Load for Microsoft.Exchange.WebServices.dll loaded by powershell.exe. Sysmon Event ID 3: Network connection from powershell.exe to Exchange server port 443. IIS logs on Exchange CAS showing EWS request from workstation with user agent 'ExchangeServicesClient/15.00.0000.000' or similar non-Outlook agent. PowerShell ScriptBlock Log Event ID 4104 with EWS API invocation.
- Test 4Remote OST File Access via UNC Path (Chimera Technique)
Expected signal: Sysmon Event ID 11: File Create at %TEMP%\stolen_email.ost. Sysmon Event ID 10 or Windows Security Event ID 4663 (if Object Access auditing is enabled): access to the .ost file in %LOCALAPPDATA%\Microsoft\Outlook. If performed remotely, SMB access events (Event ID 5140 — A network share object was accessed) for the C$ administrative share on the source host. PowerShell Event ID 4104 with file copy invocation.
References (12)
- https://attack.mitre.org/techniques/T1114/002/
- https://github.com/dafthack/MailSniper
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization
- https://learn.microsoft.com/en-us/exchange/recipients/mailbox-import-and-export/export-procedures
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.mandiant.com/resources/blog/apt29-microsoft-365-email-collection
- https://research.nccgroup.com/2021/01/12/abusing-exchange-one-api-call-away-from-domain-admin/
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md
- https://www.cisa.gov/sites/default/files/2023-12/aa23-347a_star-blizzard-advisory.pdf
Unlock Pro Content
Get the full detection package for T1114.002 including response playbook, investigation guide, and atomic red team tests.