title: Local Email Collection (T1114.001)
id: df00tech-t1114-001
status: experimental
description: "Adversaries may target user email on local systems to collect sensitive information. Outlook stores email data in offline data files (.ost) and personal storage table files (.pst), typically located in C:\\Users\\<username>\\AppData\\Local\\Microsoft\\Outlook or C:\\Users\\<username>\\Documents\\Outlook Files. Threat actors access, copy, or exfiltrate these files to harvest credentials, reconnaissance data, business intelligence, or email threads for thread-hijacking phishing campaigns. Groups such as APT1, QakBot, Carbanak, and RedCurl have all employed this technique at scale."
references:
  - https://attack.mitre.org/techniques/T1114/001/
  - https://df00tech.com/detections/T1114.001
author: df00tech
date: 2026/04/18
tags:
  - attack.t1114.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup agents (Veeam, Acronis, Windows Backup, Azure Backup) that enumerate and copy user profile data including Outlook stores — these typically run under service accounts with known parent processes"
  - "IT migration tools (BitTitan MigrationWiz, PST Capture Tool, Barracuda PST Enterprise) used during Exchange Online migrations to collect and import PST files"
  - "Antivirus and DLP scanning engines that access .pst/.ost files for content inspection — notably Symantec DLP, Forcepoint, and Microsoft Purview"
  - "Third-party Outlook add-ins or backup utilities (e.g., MailStore, Mailbird, Stellar OST to PST Converter) that legitimately access offline email stores"
  - SearchIndexer.exe or SearchProtocolHost.exe Windows Search indexing — already excluded in TrustedOutlookProcesses but may appear under alternate process names
level: high