T1114 IBM QRadar · QRadar

Detect Email Collection in IBM QRadar

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique.

MITRE ATT&CK

Tactic
Collection
Technique
T1114 Email Collection
Canonical reference
https://attack.mitre.org/techniques/T1114/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  "filename" AS TargetFile,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) ILIKE '%Sysmon%'
  AND QIDNAME(qid) ILIKE '%File Create%'
  AND (
    "filename" ILIKE '%.pst'
    OR "filename" ILIKE '%.ost'
    OR "filename" ILIKE '%.mbox'
    OR "filename" ILIKE '%.eml'
    OR "filename" ILIKE '%.msg'
    OR "filename" ILIKE '%.dbx'
    OR "filename" ILIKE '%.nsf'
  )
  AND "Image" NOT ILIKE '%\\outlook.exe'
  AND "Image" NOT ILIKE '%\\OUTLOOK.EXE'
  AND "Image" NOT ILIKE '%\\thunderbird.exe'
  AND "Image" NOT ILIKE '%\\SearchIndexer.exe'
  AND "Image" NOT ILIKE '%\\SearchProtocolHost.exe'
  AND "Image" NOT ILIKE '%\\MsMpEng.exe'
  AND "Image" NOT ILIKE '%\\MsSense.exe'
  AND (
    "Image" ILIKE '%\\powershell.exe'
    OR "Image" ILIKE '%\\pwsh.exe'
    OR "Image" ILIKE '%\\cmd.exe'
    OR "Image" ILIKE '%\\python.exe'
    OR "Image" ILIKE '%\\python3.exe'
    OR "Image" ILIKE '%\\wscript.exe'
    OR "Image" ILIKE '%\\cscript.exe'
    OR "Image" ILIKE '%\\mshta.exe'
    OR "Image" ILIKE '%\\robocopy.exe'
    OR "Image" ILIKE '%\\xcopy.exe'
    OR "Image" ILIKE '%\\7z.exe'
    OR "Image" ILIKE '%\\winrar.exe'
    OR "Image" ILIKE '%\\rar.exe'
    OR "Image" ILIKE '%\\curl.exe'
    OR "Image" ILIKE '%\\wget.exe'
    OR "filename" ILIKE '%AppData%Outlook%'
    OR "filename" ILIKE '%AppData%Thunderbird%'
    OR "filename" ILIKE '%AppData%Windows Mail%'
  )
  AND LOGSOURCETYPENAME(logsourceid) NOT ILIKE '%Flow%'
LAST 24 HOURS
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query detecting Sysmon file creation events (EventID 11) where suspicious processes access local email data stores. Excludes known legitimate email client and indexer processes. Targets PowerShell, Python, scripting engines, archival tools, and copy utilities touching PST/OST/MBOX/EML/MSG/DBX/NSF files in Outlook or Thunderbird profile directories.

Data Sources

QRadar Sysmon log sourceMicrosoft Windows Sysmon DSM

Required Tables

events

False Positives & Tuning

  • Enterprise backup agents (Commvault, NetBackup, Veeam) accessing PST files as part of scheduled mailbox backup jobs
  • Legal eDiscovery tools using command-line interfaces to collect email archives for compliance or litigation holds
  • IT migration scripts during Office 365 onboarding that copy local PST files to upload to Exchange Online
Download portable Sigma rule (.yml)

Other platforms for T1114

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Outlook PST/OST Files via PowerShell to Staging Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', 'Outlook', 'Copy-Item'. Sysmon Event ID 11: File creation events in %TEMP%\email_staging for each OST/PST copied. DeviceFileEvents (MDE): FileCopied action for .ost/.pst files with InitiatingProcessFileName=powershell.exe. DeviceProcessEvents: PowerShell process with command line referencing Outlook and Copy-Item.

  2. Test 2Enumerate Outlook Inbox via COM Object (MAPI)

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Outlook.Application', 'MAPI', 'GetDefaultFolder'. Sysmon Event ID 7 (ImageLoad): Outlook interop DLLs (olmapi32.dll, MSPST32.dll) loaded into powershell.exe process. Sysmon Event ID 11: CSV file created at %TEMP%\email_harvest.csv. DeviceImageLoadEvents (MDE): non-Outlook process loading Outlook MAPI libraries.

  3. Test 3Remote Exchange Mailbox Enumeration via EWS SOAP Request

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to outlook.office365.com (40.99.x.x range) on destination port 443. DeviceNetworkEvents (MDE): OutboundConnectionAttempt or ConnectionSuccess from powershell.exe to Microsoft O365 EWS IP. PowerShell ScriptBlock Log (Event ID 4104): full SOAP request body including 'FindItem', 'inbox', 'EWS' strings. O365 Unified Audit Log: failed or successful MailItemsAccessed operation depending on authentication outcome.

  4. Test 4Create Malicious Inbox Forwarding Rule via Exchange Online PowerShell

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'New-InboxRule', 'ForwardTo', and target email address. PowerShell ScriptBlock Log (Event ID 4104): full script with New-InboxRule command and ForwardTo parameter value. O365 Unified Audit Log (if connection succeeds): New-InboxRule operation with Parameters showing [email protected]. Sysmon Event ID 3: PowerShell connecting to O365 PowerShell endpoint (*.outlook.com port 443).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1114 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1114.001Local Email CollectionT1114.002Remote Email CollectionT1114.003Email Forwarding RuleT1560.001Archive via UtilityT1041Exfiltration Over C2 ChannelT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1078Valid AccountsT1539Steal Web Session CookieT1566.002Spearphishing LinkT1556.006Multi-Factor Authentication

Same Tactic: Collection

Popular Detections