T1114 Microsoft Sentinel · KQL

Detect Email Collection in Microsoft Sentinel

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique.

MITRE ATT&CK

Tactic
Collection
Technique
T1114 Email Collection
Canonical reference
https://attack.mitre.org/techniques/T1114/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1114 Email Collection — covers local PST/OST access, bulk remote mailbox enumeration, and forwarding rule creation
let LegitEmailClients = dynamic(["outlook.exe", "thunderbird.exe", "SearchIndexer.exe", "SearchProtocolHost.exe", "MsMpEng.exe", "MsSense.exe", "msedge.exe"]);
let SuspiciousCollectionTools = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "mshta.exe", "robocopy.exe", "xcopy.exe", "7z.exe", "winrar.exe", "rar.exe", "curl.exe", "wget.exe"]);
// Branch 1: Non-email-client processes accessing local email data stores
let LocalEmailAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileRead", "FileCopied", "FileCreated", "FileRenamed")
| where FileName has_any (".pst", ".ost", ".mbox", ".eml", ".msg", ".dbx", ".nsf")
| where InitiatingProcessFileName !in~ (LegitEmailClients)
| where FolderPath has_any (@"AppData\Local\Microsoft\Outlook", @"AppData\Roaming\Thunderbird", @"AppData\Local\Microsoft\Windows Mail", @"AppData\Roaming\Mozilla Thunderbird")
    or InitiatingProcessFileName in~ (SuspiciousCollectionTools)
| project
    Timestamp,
    DeviceName,
    AccountName,
    FileName,
    FolderPath,
    ActionType,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    ReportId,
    DetectionBranch = "LocalEmailCollection";
// Branch 2: High-volume O365 mailbox access suggesting programmatic email harvesting
let RemoteEmailCollection = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("MailItemsAccessed", "MessageBind", "FolderBind")
| where ResultStatus =~ "Succeeded"
| summarize
    AccessCount = count(),
    UniqueIPs = dcount(ClientIP),
    ClientIPSet = make_set(ClientIP, 5),
    UserAgentSet = make_set(UserAgent, 3)
    by UserId, bin(TimeGenerated, 30m)
| where AccessCount > 200 or UniqueIPs > 3
| extend SuspicionFlag = case(
    UserAgentSet has_any ("python", "curl", "requests", "java", "go-http", "urllib"), "AutomationUserAgent",
    UniqueIPs > 3, "MultiIPAccess",
    "HighVolumeAccess")
| project
    Timestamp = TimeGenerated,
    DeviceName = "",
    AccountName = UserId,
    FileName = "",
    FolderPath = "",
    ActionType = strcat("BulkMailboxAccess|", SuspicionFlag),
    InitiatingProcessFileName = tostring(UserAgentSet),
    InitiatingProcessCommandLine = strcat("IPs: ", tostring(ClientIPSet), " | Count: ", tostring(AccessCount)),
    ReportId = "",
    DetectionBranch = "RemoteEmailCollection";
LocalEmailAccess
| union RemoteEmailCollection
| sort by Timestamp desc
high severity medium confidence

Detects email collection across two vectors: (1) non-email-client processes (PowerShell, cmd, Python, archive tools) accessing local Outlook PST/OST files, Thunderbird profiles, or Windows Mail data stores via DeviceFileEvents; (2) bulk mailbox access via Exchange Online detected in OfficeActivity, identifying high-volume MailItemsAccessed/FolderBind operations or multi-IP access patterns indicative of programmatic email harvesting. The union approach covers both local and remote collection under the parent T1114 technique with a single alert.

Data Sources

File: File AccessApplication Log: Application Log ContentMicrosoft Defender for EndpointMicrosoft 365 Unified Audit Log

Required Tables

DeviceFileEventsOfficeActivity

False Positives & Tuning

  • Enterprise backup software (Veeam Agent, Backup Exec, Windows Server Backup) accessing PST/OST files during scheduled backup windows — exclude by known backup service account and initiating process path
  • Email migration tools (MigrationWiz, BitTitan, native PST import via New-MailboxImportRequest) performing authorized mailbox migrations — coordinate with IT to exclude migration service accounts during migration windows
  • Anti-virus and EDR scanning engines (MsMpEng.exe, SentinelAgent.exe) reading email files during on-demand or scheduled scans — already excluded by LegitEmailClients list, extend as needed
  • IT administrators performing authorized mailbox exports for legal holds or e-discovery using Exchange Admin Center or New-MailboxExportRequest PowerShell cmdlet
  • Microsoft 365 compliance and archiving solutions (Mimecast, Proofpoint Archive, Microsoft Purview) performing high-volume MailItemsAccessed for compliance journaling — exclude known archiving service accounts
Download portable Sigma rule (.yml)

Other platforms for T1114

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Outlook PST/OST Files via PowerShell to Staging Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', 'Outlook', 'Copy-Item'. Sysmon Event ID 11: File creation events in %TEMP%\email_staging for each OST/PST copied. DeviceFileEvents (MDE): FileCopied action for .ost/.pst files with InitiatingProcessFileName=powershell.exe. DeviceProcessEvents: PowerShell process with command line referencing Outlook and Copy-Item.

  2. Test 2Enumerate Outlook Inbox via COM Object (MAPI)

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Outlook.Application', 'MAPI', 'GetDefaultFolder'. Sysmon Event ID 7 (ImageLoad): Outlook interop DLLs (olmapi32.dll, MSPST32.dll) loaded into powershell.exe process. Sysmon Event ID 11: CSV file created at %TEMP%\email_harvest.csv. DeviceImageLoadEvents (MDE): non-Outlook process loading Outlook MAPI libraries.

  3. Test 3Remote Exchange Mailbox Enumeration via EWS SOAP Request

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to outlook.office365.com (40.99.x.x range) on destination port 443. DeviceNetworkEvents (MDE): OutboundConnectionAttempt or ConnectionSuccess from powershell.exe to Microsoft O365 EWS IP. PowerShell ScriptBlock Log (Event ID 4104): full SOAP request body including 'FindItem', 'inbox', 'EWS' strings. O365 Unified Audit Log: failed or successful MailItemsAccessed operation depending on authentication outcome.

  4. Test 4Create Malicious Inbox Forwarding Rule via Exchange Online PowerShell

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'New-InboxRule', 'ForwardTo', and target email address. PowerShell ScriptBlock Log (Event ID 4104): full script with New-InboxRule command and ForwardTo parameter value. O365 Unified Audit Log (if connection succeeds): New-InboxRule operation with Parameters showing [email protected]. Sysmon Event ID 3: PowerShell connecting to O365 PowerShell endpoint (*.outlook.com port 443).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1114 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1114.001Local Email CollectionT1114.002Remote Email CollectionT1114.003Email Forwarding RuleT1560.001Archive via UtilityT1041Exfiltration Over C2 ChannelT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1078Valid AccountsT1539Steal Web Session CookieT1566.002Spearphishing LinkT1556.006Multi-Factor Authentication

Same Tactic: Collection

Popular Detections