Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1114 | Email Collection |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Email Collection (T1114). This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain while minimizing system performance impact.
Email Collection (T1114) involves adversaries targeting email clients or servers to gather sensitive information from email communications. This could include using malicious scripts, tools, or exploiting email protocols to harvest large amounts of email data, often for espionage or data theft. Intel TDT plays a critical role by providing real-time telemetry on program execution, memory access, and control flow, enabling the detection of abnormal behaviors associated with email client manipulation or unauthorized email access.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activities related to email collection without impacting system performance. CAMS identifies suspicious behaviors such as unauthorized access to email accounts, unusual data retrieval patterns, or attempts to extract sensitive email content, providing proactive defense against email-based data exfiltration techniques
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | primary_impact | T1114 | Email Collection |
Comments
CVE-2020-0688 is a remote code execution vulnerability exists in Microsoft Exchange Server. CISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. Also, Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)—CVE-2020-0688 and CVE-2020-17144—to escalate privileges and gain remote code execution (RCE) on the exposed applications.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1114.002 | Remote Email Collection | 1 |