EXPLORE
Sign In
← Back to Explore
T1114

Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail serve...

WindowsmacOSLinuxOffice Suite
18
Detections
4
Sources
4
Threat Actors

BY SOURCE

11elastic4sigma2splunk_escu1kql

PROCEDURES (17)

Powershell2 detections

Auto-extracted: 2 detections for powershell

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Token1 detections

Auto-extracted: 1 detections for token

Email1 detections

Auto-extracted: 1 detections for email

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Script Block1 detections

Auto-extracted: 1 detections for script block

Powershell1 detections

Auto-extracted: 1 detections for powershell

Attachment1 detections

Auto-extracted: 1 detections for attachment

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Token1 detections

Auto-extracted: 1 detections for token

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Powershell1 detections

Auto-extracted: 1 detections for powershell

Script Block1 detections

Auto-extracted: 1 detections for script block

Api1 detections

Auto-extracted: 1 detections for api

Script Block1 detections

Auto-extracted: 1 detections for script block

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Api1 detections

Auto-extracted: 1 detections for api

THREAT ACTORS (4)

Ember BearMagic HoundScattered SpiderSilent Librarian

DETECTIONS (18)

Big Yellow Taxi - SignIn Based
kql
Exchange Mailbox Export via PowerShell
elasticmedium
Exchange PowerShell Snap-Ins Usage
sigmahigh
Exporting Exchange Mailbox via PowerShell
elasticmedium
Google Workspace Custom Gmail Route Created or Modified
elasticmedium
Hacktool Ruler
sigmahigh
M365 Exchange Inbox Forwarding Rule Created
elasticmedium
M365 Exchange Mail Flow Transport Rule Created
elasticmedium
M365 Exchange Mailbox Accessed by Unusual Client
elasticmedium
M365 Exchange Mailbox Items Accessed Excessively
elasticmedium
Microsoft Graph Request Email Access by Unusual User and Client
elasticmedium
New ActiveSyncAllowedDeviceID Added via PowerShell
elasticmedium
O365 New Forwarding Mailflow Rule Created
splunk_escu
O365 PST export alert
splunk_escu
PowerShell Mailbox Collection Script
elasticmedium
PST Export Alert Using eDiscovery Alert
sigmamedium
PST Export Alert Using New-ComplianceSearchAction
sigmamedium
Suspicious Inter-Process Communication via Outlook
elasticmedium