title: Remote Email Collection (T1114.002)
id: df00tech-t1114-002
status: experimental
description: "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords."
references:
  - https://attack.mitre.org/techniques/T1114/002/
  - https://df00tech.com/detections/T1114.002
author: df00tech
date: 2026/04/18
tags:
  - attack.t1114.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Compliance and eDiscovery teams running legitimate New-ComplianceSearch operations during legal holds or internal investigations — coordinate with legal/compliance team to whitelist known investigation accounts
  - "Exchange administrators running Search-Mailbox or New-MailboxExportRequest for offboarding workflows, mailbox migrations, or backup operations — validate against change management tickets"
  - "Service accounts used by archiving solutions (Mimecast, Veritas, Barracuda) that legitimately access multiple mailboxes via EWS impersonation — these will trigger the cross-mailbox bulk access branch"
  - "Email security platforms (Proofpoint, Microsoft Defender for Office 365) using non-browser EWS user agents for retroactive threat hunting in mailboxes"
  - "Shared mailbox delegations where a single delegate legitimately manages many shared mailboxes (e.g., helpdesk, legal inbox)"
level: high