1. Home
  2. ATT&CK Techniques
  3. T1114 Email Collection

T1114 Email Collection Mappings

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1114 Email Collection
IA-05 Authenticator Management mitigates T1114 Email Collection
AC-17 Remote Access mitigates T1114 Email Collection
SC-37 Out-of-band Channels mitigates T1114 Email Collection
AC-19 Access Control for Mobile Devices mitigates T1114 Email Collection
SI-12 Information Management and Retention mitigates T1114 Email Collection
SI-07 Software, Firmware, and Information Integrity mitigates T1114 Email Collection
AC-16 Security and Privacy Attributes mitigates T1114 Email Collection
AC-20 Use of External Systems mitigates T1114 Email Collection
CM-02 Baseline Configuration mitigates T1114 Email Collection
IA-02 Identification and Authentication (Organizational Users) mitigates T1114 Email Collection
SI-04 System Monitoring mitigates T1114 Email Collection
AC-03 Access Enforcement mitigates T1114 Email Collection
AC-04 Information Flow Enforcement mitigates T1114 Email Collection
SC-07 Boundary Protection mitigates T1114 Email Collection

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Capture app data Capture data from application or system process related-to T1114 Email Collection
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1114 Email Collection
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1114 Email Collection
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1114 Email Collection
attribute.confidentiality.data_disclosure None related-to T1114 Email Collection
attribute.confidentiality.data_disclosure None related-to T1114 Email Collection

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
advanced_protection_program Advanced Protection Program technique_scores T1114 Email Collection
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA reduces the usefulness of usernames and passwords that may be collected via email since adversaries won't have the associated security keys to gain access.
References
  1. ['https://landing.google.com/advancedprotection/']

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1114.001 Local Email Collection 10
T1114.003 Email Forwarding Rule 14
T1114.002 Remote Email Collection 15