T1114 Google Chronicle · YARA-L

Detect Email Collection in Google Chronicle

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique.

MITRE ATT&CK

Tactic
Collection
Technique
T1114 Email Collection
Canonical reference
https://attack.mitre.org/techniques/T1114/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1114_email_collection_local_and_remote {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1114 Email Collection: suspicious process access to local email data stores (PST/OST/MBOX/MSG/EML/DBX/NSF) by non-email-client processes including scripting engines, archival tools, and copy utilities"
    mitre_attack_technique = "T1114"
    mitre_attack_tactic = "Collection"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1114/"
    created = "2026-04-18"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    (
      $e.target.file.full_path = /(?i)\.pst$/ or
      $e.target.file.full_path = /(?i)\.ost$/ or
      $e.target.file.full_path = /(?i)\.mbox$/ or
      $e.target.file.full_path = /(?i)\.eml$/ or
      $e.target.file.full_path = /(?i)\.msg$/ or
      $e.target.file.full_path = /(?i)\.dbx$/ or
      $e.target.file.full_path = /(?i)\.nsf$/
    )
    not $e.principal.process.file.full_path = /(?i)(\\outlook\.exe|\\thunderbird\.exe|\\SearchIndexer\.exe|\\SearchProtocolHost\.exe|\\MsMpEng\.exe|\\MsSense\.exe|\\msedge\.exe)$/
    (
      $e.principal.process.file.full_path = /(?i)(\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe|\\python[23]?\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\robocopy\.exe|\\xcopy\.exe|\\7z\.exe|\\winrar\.exe|\\rar\.exe|\\curl\.exe|\\wget\.exe)$/ or
      $e.target.file.full_path = /(?i)AppData.*(Outlook|Thunderbird|Windows Mail)/
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1114 local email collection by matching Sysmon or EDR file creation events where the target file has an email store extension (PST, OST, MBOX, EML, MSG, DBX, NSF) and the initiating process is a known suspicious tool. Excludes legitimate email client and indexer processes using negative regex on the principal process path.

Data Sources

Chronicle UDM - Endpoint file eventsGoogle Chronicle Sysmon ingestionCrowdStrike Falcon via Chronicle

Required Tables

File creation UDM events (metadata.event_type = FILE_CREATION)

False Positives & Tuning

  • Automated IT provisioning scripts using robocopy to stage PST files for migration to Exchange Online or archive storage
  • SIEM or log collection agents running as python.exe that parse EML attachments from shared directories for content inspection
  • Forensic investigation tools used by internal security teams that access PST/OST files during incident response — coordinate with IR team for approved tool exclusions
Download portable Sigma rule (.yml)

Other platforms for T1114

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Outlook PST/OST Files via PowerShell to Staging Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', 'Outlook', 'Copy-Item'. Sysmon Event ID 11: File creation events in %TEMP%\email_staging for each OST/PST copied. DeviceFileEvents (MDE): FileCopied action for .ost/.pst files with InitiatingProcessFileName=powershell.exe. DeviceProcessEvents: PowerShell process with command line referencing Outlook and Copy-Item.

  2. Test 2Enumerate Outlook Inbox via COM Object (MAPI)

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Outlook.Application', 'MAPI', 'GetDefaultFolder'. Sysmon Event ID 7 (ImageLoad): Outlook interop DLLs (olmapi32.dll, MSPST32.dll) loaded into powershell.exe process. Sysmon Event ID 11: CSV file created at %TEMP%\email_harvest.csv. DeviceImageLoadEvents (MDE): non-Outlook process loading Outlook MAPI libraries.

  3. Test 3Remote Exchange Mailbox Enumeration via EWS SOAP Request

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to outlook.office365.com (40.99.x.x range) on destination port 443. DeviceNetworkEvents (MDE): OutboundConnectionAttempt or ConnectionSuccess from powershell.exe to Microsoft O365 EWS IP. PowerShell ScriptBlock Log (Event ID 4104): full SOAP request body including 'FindItem', 'inbox', 'EWS' strings. O365 Unified Audit Log: failed or successful MailItemsAccessed operation depending on authentication outcome.

  4. Test 4Create Malicious Inbox Forwarding Rule via Exchange Online PowerShell

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'New-InboxRule', 'ForwardTo', and target email address. PowerShell ScriptBlock Log (Event ID 4104): full script with New-InboxRule command and ForwardTo parameter value. O365 Unified Audit Log (if connection succeeds): New-InboxRule operation with Parameters showing [email protected]. Sysmon Event ID 3: PowerShell connecting to O365 PowerShell endpoint (*.outlook.com port 443).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1114 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1114.001Local Email CollectionT1114.002Remote Email CollectionT1114.003Email Forwarding RuleT1560.001Archive via UtilityT1041Exfiltration Over C2 ChannelT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1078Valid AccountsT1539Steal Web Session CookieT1566.002Spearphishing LinkT1556.006Multi-Factor Authentication

Same Tactic: Collection

Popular Detections