EXPLORE
Sign In
← Back to Explore
T1114.002

Remote Email Collection

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches fo...

WindowsOffice Suite
18
Detections
2
Sources
12
Threat Actors

BY SOURCE

11splunk_escu7elastic

PROCEDURES (15)

Phish2 detections

Auto-extracted: 2 detections for phish

Powershell2 detections

Auto-extracted: 2 detections for powershell

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Token1 detections

Auto-extracted: 1 detections for token

Office1 detections

Auto-extracted: 1 detections for office

Office1 detections

Auto-extracted: 1 detections for office

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Oauth1 detections

Auto-extracted: 1 detections for oauth

Script Block1 detections

Auto-extracted: 1 detections for script block

Script Block1 detections

Auto-extracted: 1 detections for script block

Token1 detections

Auto-extracted: 1 detections for token

THREAT ACTORS (12)

APT1APT28APT29ChimeraDragonflyFIN4HAFNIUMKe3changKimsukyLeafminerMagic HoundStar Blizzard

DETECTIONS (18)

Email servers sending high volume traffic to hosts
splunk_escu
Exchange Mailbox Export via PowerShell
elasticmedium
Exporting Exchange Mailbox via PowerShell
elasticmedium
Hosts receiving high volume of network traffic from email server
splunk_escu
M365 Exchange Mailbox Accessed by Unusual Client
elasticmedium
M365 Exchange Mailbox Items Accessed Excessively
elasticmedium
Microsoft Graph Request Email Access by Unusual User and Client
elasticmedium
New ActiveSyncAllowedDeviceID Added via PowerShell
elasticmedium
O365 Compliance Content Search Exported
splunk_escu
O365 Compliance Content Search Started
splunk_escu
O365 Email Access By Security Administrator
splunk_escu
O365 Email Suspicious Search Behavior
splunk_escu
O365 Mailbox Inbox Folder Shared with All Users
splunk_escu
O365 Mailbox Read Access Granted to Application
splunk_escu
O365 Multiple Mailboxes Accessed via API
splunk_escu
O365 OAuth App Mailbox Access via EWS
splunk_escu
O365 OAuth App Mailbox Access via Graph API
splunk_escu
PowerShell Mailbox Collection Script
elasticmedium