title: Email Collection (T1114)
id: df00tech-t1114
status: experimental
description: "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique."
references:
  - https://attack.mitre.org/techniques/T1114/
  - https://df00tech.com/detections/T1114
author: df00tech
date: 2026/04/18
tags:
  - attack.t1114
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise backup software (Veeam Agent, Backup Exec, Windows Server Backup) accessing PST/OST files during scheduled backup windows — exclude by known backup service account and initiating process path"
  - "Email migration tools (MigrationWiz, BitTitan, native PST import via New-MailboxImportRequest) performing authorized mailbox migrations — coordinate with IT to exclude migration service accounts during migration windows"
  - "Anti-virus and EDR scanning engines (MsMpEng.exe, SentinelAgent.exe) reading email files during on-demand or scheduled scans — already excluded by LegitEmailClients list, extend as needed"
  - IT administrators performing authorized mailbox exports for legal holds or e-discovery using Exchange Admin Center or New-MailboxExportRequest PowerShell cmdlet
  - "Microsoft 365 compliance and archiving solutions (Mimecast, Proofpoint Archive, Microsoft Purview) performing high-volume MailItemsAccessed for compliance journaling — exclude known archiving service accounts"
level: high