T1114 Email Collection Mappings

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Email Collection (T1114). This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain while minimizing system performance impact. Email Collection (T1114) involves adversaries targeting email clients or servers to gather sensitive information from email communications. This could include using malicious scripts, tools, or exploiting email protocols to harvest large amounts of email data, often for espionage or data theft. Intel TDT plays a critical role by providing real-time telemetry on program execution, memory access, and control flow, enabling the detection of abnormal behaviors associated with email client manipulation or unauthorized email access. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activities related to email collection without impacting system performance. CAMS identifies suspicious behaviors such as unauthorized access to email accounts, unusual data retrieval patterns, or attempts to extract sensitive email content, providing proactive defense against email-based data exfiltration techniques

CVE-2020-0688 is a remote code execution vulnerability exists in Microsoft Exchange Server. CISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. Also, Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)—CVE-2020-0688 and CVE-2020-17144—to escalate privileges and gain remote code execution (RCE) on the exposed applications.