Detect Email Collection in Sumo Logic CSE
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1114 Email Collection
- Canonical reference
- https://attack.mitre.org/techniques/T1114/
Sumo Detection Query
// T1114 Email Collection - Local email data store access by suspicious processes
_sourceCategory=*windows*sysmon* EventID=11
| parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as TargetFilename nodrop
| parse "<Image><![CDATA[*]]></Image>" as Image nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as CommandLine nodrop
| parse "<User>*</User>" as User nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| where TargetFilename matches "*.pst"
or TargetFilename matches "*.ost"
or TargetFilename matches "*.mbox"
or TargetFilename matches "*.eml"
or TargetFilename matches "*.msg"
or TargetFilename matches "*.dbx"
or TargetFilename matches "*.nsf"
| where !(Image matches "*\\outlook.exe"
or Image matches "*\\OUTLOOK.EXE"
or Image matches "*\\thunderbird.exe"
or Image matches "*\\SearchIndexer.exe"
or Image matches "*\\SearchProtocolHost.exe"
or Image matches "*\\MsMpEng.exe"
or Image matches "*\\MsSense.exe"
or Image matches "*\\msedge.exe")
| eval SuspicionScore = 0
| eval SuspicionScore = if(Image matches "*\\powershell.exe" or Image matches "*\\pwsh.exe" or Image matches "*\\cmd.exe" or Image matches "*\\python*.exe" or Image matches "*\\wscript.exe" or Image matches "*\\cscript.exe" or Image matches "*\\mshta.exe", SuspicionScore + 3, SuspicionScore)
| eval SuspicionScore = if(Image matches "*\\robocopy.exe" or Image matches "*\\xcopy.exe" or Image matches "*\\7z.exe" or Image matches "*\\winrar.exe" or Image matches "*\\rar.exe" or Image matches "*\\curl.exe" or Image matches "*\\wget.exe", SuspicionScore + 3, SuspicionScore)
| eval SuspicionScore = if(TargetFilename matches "*AppData*Outlook*" or TargetFilename matches "*AppData*Thunderbird*" or TargetFilename matches "*AppData*Windows Mail*", SuspicionScore + 2, SuspicionScore)
| eval SuspicionScore = if(TargetFilename matches "*.pst" or TargetFilename matches "*.ost", SuspicionScore + 1, SuspicionScore)
| where SuspicionScore > 0
| eval EmailFileType = if(TargetFilename matches "*.pst", "OutlookPST",
if(TargetFilename matches "*.ost", "OutlookOST",
if(TargetFilename matches "*.mbox", "MboxArchive",
if(TargetFilename matches "*.msg", "OutlookMessage",
if(TargetFilename matches "*.eml", "EmailFile", "OtherEmailFile")))))
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, EmailFileType, SuspicionScore
| sort by SuspicionScore desc, _messageTime descSumo Logic query for Sysmon EventID 11 (File Create) detecting suspicious processes accessing local email data stores. Applies a weighted suspicion scoring model — scripting engines and archival tools score highest. Filters out legitimate email clients, Windows Search indexer, and endpoint protection processes. Surfaces email file type classification and full command line for triage.
Data Sources
Required Tables
False Positives & Tuning
- PST Capture tool or similar Microsoft-provided migration utilities that run as cmd.exe subprocesses when packaging PST files for archival
- Security awareness training platforms running email phishing simulations that generate EML files in user profile directories
- Corporate DLP agents built on scripting runtimes that scan outbound email attachments stored temporarily in AppData paths
Other platforms for T1114
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy Outlook PST/OST Files via PowerShell to Staging Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', 'Outlook', 'Copy-Item'. Sysmon Event ID 11: File creation events in %TEMP%\email_staging for each OST/PST copied. DeviceFileEvents (MDE): FileCopied action for .ost/.pst files with InitiatingProcessFileName=powershell.exe. DeviceProcessEvents: PowerShell process with command line referencing Outlook and Copy-Item.
- Test 2Enumerate Outlook Inbox via COM Object (MAPI)
Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Outlook.Application', 'MAPI', 'GetDefaultFolder'. Sysmon Event ID 7 (ImageLoad): Outlook interop DLLs (olmapi32.dll, MSPST32.dll) loaded into powershell.exe process. Sysmon Event ID 11: CSV file created at %TEMP%\email_harvest.csv. DeviceImageLoadEvents (MDE): non-Outlook process loading Outlook MAPI libraries.
- Test 3Remote Exchange Mailbox Enumeration via EWS SOAP Request
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to outlook.office365.com (40.99.x.x range) on destination port 443. DeviceNetworkEvents (MDE): OutboundConnectionAttempt or ConnectionSuccess from powershell.exe to Microsoft O365 EWS IP. PowerShell ScriptBlock Log (Event ID 4104): full SOAP request body including 'FindItem', 'inbox', 'EWS' strings. O365 Unified Audit Log: failed or successful MailItemsAccessed operation depending on authentication outcome.
- Test 4Create Malicious Inbox Forwarding Rule via Exchange Online PowerShell
Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'New-InboxRule', 'ForwardTo', and target email address. PowerShell ScriptBlock Log (Event ID 4104): full script with New-InboxRule command and ForwardTo parameter value. O365 Unified Audit Log (if connection succeeds): New-InboxRule operation with Parameters showing [email protected]. Sysmon Event ID 3: PowerShell connecting to O365 PowerShell endpoint (*.outlook.com port 443).
References (9)
- https://attack.mitre.org/techniques/T1114/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
- https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
- https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about
Unlock Pro Content
Get the full detection package for T1114 including response playbook, investigation guide, and atomic red team tests.