Description
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\ or C:\Users\.(Citation: Microsoft Outlook Files)
Platforms
Mitigations (2)
Out-of-Band Communications ChannelM1060
Implement secure out-of-band alerts to notify security teams of unusual local email activities, such as mass forwarding or large attachments being sent, indicating potential data exfiltration attempts.(Citation: TrustedSec OOB Communications)
Encrypt Sensitive InformationM1041
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has collected documents from victims' email accounts.(Citation: Palo Alto Ashen Lepus DEC 2025) |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has collected emails to use in future phishing campaigns.(Citation: group-ib_redcurl1) |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) collected email archives from victim environments.(Citation: Hunt Sea Turtle 2024) |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has harvested data from victim's e-mail including through execution of <code>wmic /node:<ip> process ... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has collected .PST archives.(Citation: FireEye APT35 2018) |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has exfiltrated stored emails from compromised hosts.(Citation: ESET MirrorFace DEC 2022) |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) delivered malicious JavaScript payloads capable of exfiltrating email messages from exploited e... |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S1142 | LunarMail | Malware | [LunarMail](https://attack.mitre.org/software/S1142) can capture the recipients of sent email messages from compromised accounts.(Citation: ESET Turla... |
| S0226 | Smoke Loader | Malware | [Smoke Loader](https://attack.mitre.org/software/S0226) searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can target and steal locally stored emails to support thread hijacking phishing campaigns.(Citation:... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can interact with a victim’s Outlook session and look through folders and emails.(Citation: GitHub Pup... |
| S0030 | Carbanak | Malware | [Carbanak](https://attack.mitre.org/software/S0030) searches recursively for Outlook personal storage tables (PST) files within user directories and s... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) contains a command to collect and exfiltrate emails from Outlook.(Citation: Proofpoint Operation Tr... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) has the ability to collect emails on a target system.(Citation: Github PowerShell Empire) |
| S0526 | KGH_SPY | Malware | [KGH_SPY](https://attack.mitre.org/software/S0526) can harvest data from mail clients.(Citation: Cybereason Kimsuky November 2020) |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfil... |
| S0594 | Out1 | Tool | [Out1](https://attack.mitre.org/software/S0594) can parse e-mails on a target machine.(Citation: Trend Micro Muddy Water March 2021) |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that scrapes email data from Outlook.(Citation: CIS Emotet Dec... |
References
- Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020.
- N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020.
Frequently Asked Questions
What is T1114.001 (Local Email Collection)?
T1114.001 is a MITRE ATT&CK technique named 'Local Email Collection'. It belongs to the Collection tactic(s). Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. Ou...
How can T1114.001 be detected?
Detection of T1114.001 (Local Email Collection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1114.001?
There are 2 documented mitigations for T1114.001. Key mitigations include: Out-of-Band Communications Channel, Encrypt Sensitive Information.
Which threat groups use T1114.001?
Known threat groups using T1114.001 include: WIRTE, RedCurl, Sea Turtle, APT1, Chimera, Magic Hound, MirrorFace, Winter Vivern.