Which SIEM platforms have a T1114.002 detection rule?

df00tech provides T1114.002 (Remote Email Collection) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Remote Email Collection (T1114.002)?

Detecting Remote Email Collection requires the following data sources: Application Log: Application Log Content, Cloud Service: Cloud Service Activity, Network Traffic: Network Traffic Content, Microsoft Defender for Endpoint — DeviceProcessEvents, Office 365 — OfficeActivity (ExchangeAdmin, ExchangeItem).

What severity and confidence is the T1114.002 detection?

The T1114.002 detection is rated high severity with high confidence.

What are common false positives for T1114.002?

Common false positives for T1114.002 include: Compliance and eDiscovery teams running legitimate New-ComplianceSearch operations during legal holds or internal investigations — coordinate with legal/compliance team to whitelist known investigation accounts; Exchange administrators running Search-Mailbox or New-MailboxExportRequest for offboarding workflows, mailbox migrations, or backup operations — validate against change management tickets; Service accounts used by archiving solutions (Mimecast, Veritas, Barracuda) that legitimately access multiple mailboxes via EWS impersonation — these will trigger the cross-mailbox bulk access branch.

T1114.002 Sumo Logic CSE · Sumo

Detect Remote Email Collection in Sumo Logic CSE

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

MITRE ATT&CK

Tactic: Collection
Technique: T1114 Email Collection
Sub-technique: T1114.002 Remote Email Collection
Canonical reference: https://attack.mitre.org/techniques/T1114/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

(_sourceCategory=*office365* OR _sourceCategory=*o365* OR _sourceCategory=*exchange*)
| json field=_raw "Operation" as Operation nodrop
| json field=_raw "UserId" as UserId nodrop
| json field=_raw "ClientIP" as ClientIP nodrop
| json field=_raw "ClientInfoString" as ClientInfoString nodrop
| json field=_raw "MailboxOwnerUPN" as MailboxOwnerUPN nodrop
| json field=_raw "Workload" as Workload nodrop
| where Workload = "Exchange"
| eval IsSuspiciousCmdlet = if(
    Operation in (
      "New-MailboxExportRequest", "Get-MailboxExportRequest", "Search-Mailbox",
      "New-ComplianceSearch", "Start-ComplianceSearch", "New-ComplianceSearchAction",
      "Get-ComplianceSearchAction", "Invoke-MailboxSearch", "New-MailboxSearch",
      "Get-GlobalAddressList", "Invoke-SelfSearch", "Invoke-GlobalMailSearch"
    ), 1, 0)
| eval LowAgent = toLowerCase(ClientInfoString)
| eval IsSuspiciousAgent = if(
    matches(LowAgent, ".*mailsniper.*") OR
    matches(LowAgent, ".*python.*") OR
    matches(LowAgent, ".*go-http-client.*") OR
    matches(LowAgent, ".*curl/.*") OR
    matches(LowAgent, ".*wget.*") OR
    matches(LowAgent, ".*microsoft.exchange.webservices.*") OR
    matches(LowAgent, ".*ewseditor.*"), 1, 0)
| where IsSuspiciousCmdlet = 1 OR IsSuspiciousAgent = 1
| eval DetectionType = if(IsSuspiciousCmdlet = 1, "ExchangeCollectionCmdlet", "SuspiciousEWSClient")
| eval RiskLevel = if(IsSuspiciousCmdlet = 1, "High", "Medium")
| stats
    count as EventCount,
    values(Operation) as Operations,
    values(ClientIP) as ClientIPs,
    values(ClientInfoString) as UserAgents,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
  by UserId, DetectionType, RiskLevel
| where EventCount > 0
| sort by EventCount desc

high severity high confidence

Detects remote email collection against Exchange/Office 365 by identifying known collection cmdlets and suspicious EWS client user agents in O365 Management Activity logs. Aggregates by user and detection type to surface bulk collection patterns. Evaluates both cmdlet abuse and scripted-client EWS access.

Data Sources

Office 365 Management Activity API via Sumo Logic O365 AppMicrosoft Exchange audit log source

Required Tables

O365 Management Activity source category

False Positives & Tuning

Compliance and legal teams running Start-ComplianceSearch or New-ComplianceSearch for authorized eDiscovery
Exchange hybrid migration tooling using the EWS SDK with non-browser user agents during planned migrations
Third-party email security gateways or archiving solutions accessing mailboxes via EWS with scripted HTTP clients

Download portable Sigma rule (.yml)

Other platforms for T1114.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1MailSniper — Invoke-SelfSearch for Credential Keywords
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'MailSniper', 'Invoke-SelfSearch', and keyword terms. Sysmon Event ID 3: Network connection from powershell.exe to the Exchange server on port 443 (HTTPS/EWS). PowerShell ScriptBlock Log Event ID 4104 with full MailSniper invocation. On the Exchange side: IIS access logs will show EWS hits from the test workstation with a non-Outlook user agent.
Test 2New-MailboxExportRequest — Export Mailbox to PST
Expected signal: Exchange Admin Audit Log: New-MailboxExportRequest entry with Mailbox, FilePath, and requester identity. Office 365 OfficeActivity RecordType=ExchangeAdmin, Operation=New-MailboxExportRequest. File creation on the target UNC path (Sysmon Event ID 11 on the destination host). PowerShell Event ID 4104 with full cmdlet invocation.
Test 3EWS Direct Access via PowerShell (Microsoft.Exchange.WebServices)
Expected signal: Sysmon Event ID 7: Image Load for Microsoft.Exchange.WebServices.dll loaded by powershell.exe. Sysmon Event ID 3: Network connection from powershell.exe to Exchange server port 443. IIS logs on Exchange CAS showing EWS request from workstation with user agent 'ExchangeServicesClient/15.00.0000.000' or similar non-Outlook agent. PowerShell ScriptBlock Log Event ID 4104 with EWS API invocation.
Test 4Remote OST File Access via UNC Path (Chimera Technique)
Expected signal: Sysmon Event ID 11: File Create at %TEMP%\stolen_email.ost. Sysmon Event ID 10 or Windows Security Event ID 4663 (if Object Access auditing is enabled): access to the .ost file in %LOCALAPPDATA%\Microsoft\Outlook. If performed remotely, SMB access events (Event ID 5140 — A network share object was accessed) for the C$ administrative share on the source host. PowerShell Event ID 4104 with file copy invocation.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1114.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Remote Email Collection in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1114.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1114.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox