T1114 Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.02 Privileged system access Mitigates T1114 Email Collection
Comments
This diagnostic statement protects against Email Collection through the use of privileged account management and the use of multi-factor authentication.
References
    PR.AA-03.03 Email verification mechanisms Mitigates T1114 Email Collection
    Comments
    This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as MFA is recommended to minimize the risk of adversaries collecting usernames and passwords.
    References
      PR.PS-01.06 Encryption management practices Mitigates T1114 Email Collection
      Comments
      This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
      References
        PR.PS-01.07 Cryptographic keys and certificates Mitigates T1114 Email Collection
        Comments
        This diagnostic statement protects against Email Collection through the use of revocation of keys and key management. Employing key protection strategies such as ensuring proper encryption methods and key management for those used in email along with policies for sending cryptographic material over email, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from emails.
        References
          ID.AM-08.03 Data governance and lifecycle management Mitigates T1114 Email Collection
          Comments
          This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
          References
            PR.AA-03.01 Authentication requirements Mitigates T1114 Email Collection
            Comments
            This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
            References
              ID.AM-08.05 Data destruction procedures Mitigates T1114 Email Collection
              Comments
              This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
              References
                PR.AA-01.01 Identity and credential management Mitigates T1114 Email Collection
                Comments
                This diagnostic statement protects against Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                References
                  PR.PS-01.05 Encryption standards Mitigates T1114 Email Collection
                  Comments
                  This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
                  References

                    VERIS Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    action.malware.variety.Capture app data Capture data from application or system process related-to T1114 Email Collection
                    action.malware.variety.Capture stored data Capture data stored on system disk related-to T1114 Email Collection
                    action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1114 Email Collection
                    action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1114 Email Collection
                    attribute.confidentiality.data_disclosure None related-to T1114 Email Collection
                    attribute.confidentiality.data_disclosure None related-to T1114 Email Collection

                    GCP Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    advanced_protection_program Advanced Protection Program technique_scores T1114 Email Collection
                    Comments
                    Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA reduces the usefulness of usernames and passwords that may be collected via email since adversaries won't have the associated security keys to gain access.
                    References

                    ATT&CK Subtechniques

                    Technique ID Technique Name Number of Mappings
                    T1114.001 Local Email Collection 16
                    T1114.003 Email Forwarding Rule 18
                    T1114.002 Remote Email Collection 23