T1114 Splunk · SPL

Detect Email Collection in Splunk

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique.

MITRE ATT&CK

Tactic
Collection
Technique
T1114 Email Collection
Canonical reference
https://attack.mitre.org/techniques/T1114/

SPL Detection Query

Splunk (SPL)
spl 
// T1114 Email Collection — Sysmon file access to local email data stores
// Detects non-email-client processes accessing PST/OST/MBOX/MSG email files
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.pst" OR TargetFilename="*.ost" OR TargetFilename="*.mbox"
   OR TargetFilename="*.eml" OR TargetFilename="*.msg" OR TargetFilename="*.dbx" OR TargetFilename="*.nsf")
  NOT (
    Image="*\\outlook.exe" OR Image="*\\OUTLOOK.EXE"
    OR Image="*\\thunderbird.exe"
    OR Image="*\\SearchIndexer.exe"
    OR Image="*\\SearchProtocolHost.exe"
    OR Image="*\\MsMpEng.exe"
    OR Image="*\\MsSense.exe"
  )
)
| eval SuspicionScore=0
| eval SuspicionScore=if(match(Image, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|python[23]?\.exe|wscript\.exe|cscript\.exe|mshta\.exe)"), SuspicionScore+3, SuspicionScore)
| eval SuspicionScore=if(match(Image, "(?i)(robocopy\.exe|xcopy\.exe|7z\.exe|winrar\.exe|rar\.exe|curl\.exe|wget\.exe)"), SuspicionScore+3, SuspicionScore)
| eval SuspicionScore=if(match(lower(TargetFilename), "(appdata.*outlook|appdata.*thunderbird|appdata.*windows mail)"), SuspicionScore+2, SuspicionScore)
| eval SuspicionScore=if(match(TargetFilename, "(?i)(\.pst$|\.ost$)"), SuspicionScore+1, SuspicionScore)
| eval EmailFileType=case(
    match(TargetFilename, "(?i)\.pst$"), "OutlookPST",
    match(TargetFilename, "(?i)\.ost$"), "OutlookOST",
    match(TargetFilename, "(?i)\.mbox$"), "MboxArchive",
    match(TargetFilename, "(?i)\.msg$"), "OutlookMessage",
    match(TargetFilename, "(?i)\.eml$"), "EmailFile",
    1==1, "OtherEmailFile")
| where SuspicionScore > 0
| eval AccountName=if(isnull(User), "Unknown", User)
| table _time, host, AccountName, Image, CommandLine, TargetFilename, EmailFileType, SuspicionScore
| sort - SuspicionScore, - _time
high severity medium confidence

Detects email collection activity using Sysmon Event ID 11 (FileCreate) to identify non-email-client processes interacting with local email data stores. Assigns a cumulative suspicion score based on initiating process type (scripting engines and archive tools score highest at +3) and target file path (AppData Outlook/Thunderbird paths score +2). PST/OST files score an additional +1 as the highest-value collection targets. Filters out known legitimate email clients, search indexers, and AV engines to reduce noise.

Data Sources

File: File AccessFile: File CreationSysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Enterprise backup agents accessing PST/OST files during scheduled backup windows — add backup agent process paths to the NOT exclusion list
  • Email migration tools (PST import utilities, MigrationWiz agent) performing authorized mailbox data operations during announced migration projects
  • Anti-virus or EDR agents with non-standard process names that perform file scanning — extend the exclusion list with verified scanner paths
  • IT automation scripts (SCCM baseline scripts, auditing tools) inventorying email archive files — coordinate expected script hashes with change management
  • User-initiated archive operations using 7-Zip or WinRAR to compress old PST files for storage — may be legitimate but warrants confirmation with the user
Download portable Sigma rule (.yml)

Other platforms for T1114

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Outlook PST/OST Files via PowerShell to Staging Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', 'Outlook', 'Copy-Item'. Sysmon Event ID 11: File creation events in %TEMP%\email_staging for each OST/PST copied. DeviceFileEvents (MDE): FileCopied action for .ost/.pst files with InitiatingProcessFileName=powershell.exe. DeviceProcessEvents: PowerShell process with command line referencing Outlook and Copy-Item.

  2. Test 2Enumerate Outlook Inbox via COM Object (MAPI)

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Outlook.Application', 'MAPI', 'GetDefaultFolder'. Sysmon Event ID 7 (ImageLoad): Outlook interop DLLs (olmapi32.dll, MSPST32.dll) loaded into powershell.exe process. Sysmon Event ID 11: CSV file created at %TEMP%\email_harvest.csv. DeviceImageLoadEvents (MDE): non-Outlook process loading Outlook MAPI libraries.

  3. Test 3Remote Exchange Mailbox Enumeration via EWS SOAP Request

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to outlook.office365.com (40.99.x.x range) on destination port 443. DeviceNetworkEvents (MDE): OutboundConnectionAttempt or ConnectionSuccess from powershell.exe to Microsoft O365 EWS IP. PowerShell ScriptBlock Log (Event ID 4104): full SOAP request body including 'FindItem', 'inbox', 'EWS' strings. O365 Unified Audit Log: failed or successful MailItemsAccessed operation depending on authentication outcome.

  4. Test 4Create Malicious Inbox Forwarding Rule via Exchange Online PowerShell

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'New-InboxRule', 'ForwardTo', and target email address. PowerShell ScriptBlock Log (Event ID 4104): full script with New-InboxRule command and ForwardTo parameter value. O365 Unified Audit Log (if connection succeeds): New-InboxRule operation with Parameters showing [email protected]. Sysmon Event ID 3: PowerShell connecting to O365 PowerShell endpoint (*.outlook.com port 443).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1114 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1114.001Local Email CollectionT1114.002Remote Email CollectionT1114.003Email Forwarding RuleT1560.001Archive via UtilityT1041Exfiltration Over C2 ChannelT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1078Valid AccountsT1539Steal Web Session CookieT1566.002Spearphishing LinkT1556.006Multi-Factor Authentication

Same Tactic: Collection

Popular Detections