EXPLORE

← Back to Explore

T1114.001

Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Fil...

Windows

11

Detections

3

Sources

6

Threat Actors

BY SOURCE

6splunk_escu4elastic1sigma

PROCEDURES (9)

Email Security3 detections

Auto-extracted: 3 detections for email security

Script Block1 detections

Auto-extracted: 1 detections for script block

Powershell1 detections

Auto-extracted: 1 detections for powershell

Script Block1 detections

Auto-extracted: 1 detections for script block

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Api1 detections

Auto-extracted: 1 detections for api

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Api1 detections

Auto-extracted: 1 detections for api

THREAT ACTORS (6)

APT1 Chimera Magic Hound RedCurl Sea Turtle Winter Vivern

DETECTIONS (11)

Email files written outside of the Outlook directory

Exchange Mailbox Export via PowerShell

Exporting Exchange Mailbox via PowerShell

Mailsniper Invoke functions

O365 Email Password and Payroll Compromise Behavior

O365 Email Receive and Hard Delete Takeover Behavior

O365 Email Send and Hard Delete Exfiltration Behavior

O365 Email Send and Hard Delete Suspicious Behavior

Powershell Local Email Collection

PowerShell Mailbox Collection Script

Suspicious Inter-Process Communication via Outlook