Detect Email Collection in Elastic Security
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1114 Email Collection
- Canonical reference
- https://attack.mitre.org/techniques/T1114/
Elastic Detection Query
sequence by host.name with maxspan=5m
[file where event.action in ("creation", "overwrite", "rename") and
file.extension in ("pst", "ost", "mbox", "eml", "msg", "dbx", "nsf") and
not process.name in~ ("outlook.exe", "OUTLOOK.EXE", "thunderbird.exe", "SearchIndexer.exe", "SearchProtocolHost.exe", "MsMpEng.exe", "MsSense.exe", "msedge.exe") and
(
file.path like~ "*AppData*Outlook*" or
file.path like~ "*AppData*Thunderbird*" or
file.path like~ "*AppData*Windows Mail*" or
process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "mshta.exe", "robocopy.exe", "xcopy.exe", "7z.exe", "winrar.exe", "rar.exe", "curl.exe", "wget.exe")
)
] by process.entity_idDetects non-email-client processes accessing local email data stores (PST, OST, MBOX, MSG, EML, DBX, NSF files) consistent with T1114 local email collection. Flags suspicious tools like PowerShell, Python, archiving utilities, and copy tools touching email file paths. Pairs file events with the initiating process for context.
Data Sources
Required Tables
False Positives & Tuning
- Backup software (Veeam, Acronis, Windows Backup) legitimately reads PST/OST files during scheduled backups — verify process name and backup schedule
- IT administrators using robocopy or xcopy to migrate mailbox data during user offboarding or hardware refresh procedures
- Antivirus or DLP products (beyond MsMpEng) scanning email archives — check vendor process names against the exclusion list
Other platforms for T1114
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy Outlook PST/OST Files via PowerShell to Staging Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', 'Outlook', 'Copy-Item'. Sysmon Event ID 11: File creation events in %TEMP%\email_staging for each OST/PST copied. DeviceFileEvents (MDE): FileCopied action for .ost/.pst files with InitiatingProcessFileName=powershell.exe. DeviceProcessEvents: PowerShell process with command line referencing Outlook and Copy-Item.
- Test 2Enumerate Outlook Inbox via COM Object (MAPI)
Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Outlook.Application', 'MAPI', 'GetDefaultFolder'. Sysmon Event ID 7 (ImageLoad): Outlook interop DLLs (olmapi32.dll, MSPST32.dll) loaded into powershell.exe process. Sysmon Event ID 11: CSV file created at %TEMP%\email_harvest.csv. DeviceImageLoadEvents (MDE): non-Outlook process loading Outlook MAPI libraries.
- Test 3Remote Exchange Mailbox Enumeration via EWS SOAP Request
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to outlook.office365.com (40.99.x.x range) on destination port 443. DeviceNetworkEvents (MDE): OutboundConnectionAttempt or ConnectionSuccess from powershell.exe to Microsoft O365 EWS IP. PowerShell ScriptBlock Log (Event ID 4104): full SOAP request body including 'FindItem', 'inbox', 'EWS' strings. O365 Unified Audit Log: failed or successful MailItemsAccessed operation depending on authentication outcome.
- Test 4Create Malicious Inbox Forwarding Rule via Exchange Online PowerShell
Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'New-InboxRule', 'ForwardTo', and target email address. PowerShell ScriptBlock Log (Event ID 4104): full script with New-InboxRule command and ForwardTo parameter value. O365 Unified Audit Log (if connection succeeds): New-InboxRule operation with Parameters showing [email protected]. Sysmon Event ID 3: PowerShell connecting to O365 PowerShell endpoint (*.outlook.com port 443).
References (9)
- https://attack.mitre.org/techniques/T1114/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
- https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
- https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about
Unlock Pro Content
Get the full detection package for T1114 including response playbook, investigation guide, and atomic red team tests.