Description
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
Platforms
Mitigations (3)
Out-of-Band Communications ChannelM1060
Use secure out-of-band authentication methods to verify the authenticity of critical actions initiated via email, such as password resets, financial transactions, or access requests.
For highly sensitive information, utilize out-of-band communication channels instead of relying solely on email. This reduces the risk of sensitive data being collected through compromised email accounts.
Set up ou
Encrypt Sensitive InformationM1041
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
Multi-factor AuthenticationM1032
Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.
Threat Groups (13)
| ID | Group | Context |
|---|---|---|
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.(Cit... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has collected emails from victim Microsoft Exchange servers.(Citation: DOJ GRU Indictment Jul 2018)(Cit... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has gathered victim email-content from victim servers.(Citation: DOJ FBI Handala Hack March 20... |
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has remotely accessed victims' email accounts to steal messages and attachments.(Citation: CISA... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers ... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Excha... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used web shells and MSGraph to export mailbox data.(Citation: Microsoft HAFNIUM March 2020)(Citat... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has exported emails from compromised Exchange servers including through use of the cmdlet `New-Ma... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has harvested data from remote mailboxes including through execution of <code>\\<hostname>\c$\Users\<... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has accessed email accounts using Outlook Web Access.(Citation: US-CERT TA18-074A) |
| G0085 | FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has accessed and hijacked online email communications using stolen credentials.(Citation: FireEye Hackin... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used a tool called MailSniper to search through the Exchange server mailboxes for keywords.(Citatio... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from onli... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0413 | MailSniper | Tool | [MailSniper](https://attack.mitre.org/software/S0413) can be used for searching through email in Exchange and Office 365 environments.(Citation: GitHu... |
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) collects Exchange emails matching rules specified in its configuration.(Citation: ESET LightNeu... |
| S0053 | SeaDuke | Malware | Some [SeaDuke](https://attack.mitre.org/software/S0053) samples have a module to extract email from Microsoft Exchange servers using compromised crede... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) can collect sensitive mailing information from Exchange servers, including credentials and the domain... |
Frequently Asked Questions
What is T1114.002 (Remote Email Collection)?
T1114.002 is a MITRE ATT&CK technique named 'Remote Email Collection'. It belongs to the Collection tactic(s). Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange serve...
How can T1114.002 be detected?
Detection of T1114.002 (Remote Email Collection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1114.002?
There are 3 documented mitigations for T1114.002. Key mitigations include: Out-of-Band Communications Channel, Encrypt Sensitive Information, Multi-factor Authentication.
Which threat groups use T1114.002?
Known threat groups using T1114.002 include: Ke3chang, APT28, VOID MANTICORE, Star Blizzard, APT1, APT29, HAFNIUM, Magic Hound.