Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture app data | Capture data from application or system process | related-to | T1114 | Email Collection | |
| attribute.confidentiality.data_disclosure | None | related-to | T1114 | Email Collection |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1114 | Email Collection |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA reduces the usefulness of usernames and passwords that may be collected via email since adversaries won't have the associated security keys to gain access.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1114.001 | Local Email Collection | 2 |
| T1114.003 | Email Forwarding Rule | 3 |
| T1114.002 | Remote Email Collection | 2 |