Description
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.
Platforms
Sub-Techniques (3)
Mitigations (4)
Multi-factor AuthenticationM1032
Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.
Out-of-Band Communications ChannelM1060
Use secure out-of-band authentication methods to verify the authenticity of critical actions initiated via email, such as password resets, financial transactions, or access requests. For highly sensitive information, utilize out-of-band communication channels instead of relying solely on email to prevent adversaries from collecting data through compromised email accounts.(Citation: TrustedSec OOB
Encrypt Sensitive InformationM1041
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
AuditM1047
Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.
In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) attempts to collect mail from accessed systems and servers.(Citation: Cadet Blizzard emerges as no... |
| G0122 | Silent Librarian | [Silent Librarian](https://attack.mitre.org/groups/G0122) has exfiltrated entire mailboxes from compromised accounts.(Citation: DOJ Iran Indictments M... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has compromised email credentials in order to steal sensitive data.(Citation: Certfa Charming Kit... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) searched the victim’s Microsoft Exchange for emails about the intrusion and incident respons... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Em... |
| S1201 | TRANSLATEXT | Malware | [TRANSLATEXT](https://attack.mitre.org/software/S1201) has exfiltrated collected email addresses to the C2 server.(Citation: Zscaler Kimsuky TRANSLATE... |
References
- CISA. (2021, April 15). Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. Retrieved August 30, 2024.
- McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.
- Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.
Frequently Asked Questions
What is T1114 (Email Collection)?
T1114 is a MITRE ATT&CK technique named 'Email Collection'. It belongs to the Collection tactic(s). Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails m...
How can T1114 be detected?
Detection of T1114 (Email Collection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1114?
There are 4 documented mitigations for T1114. Key mitigations include: Multi-factor Authentication, Out-of-Band Communications Channel, Encrypt Sensitive Information, Audit.
Which threat groups use T1114?
Known threat groups using T1114 include: Ember Bear, Silent Librarian, Magic Hound, Scattered Spider.