1. Home
  2. ATT&CK Techniques
  3. T1114 Email Collection

T1114 Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Capture app data Capture data from application or system process related-to T1114 Email Collection
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1114 Email Collection
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1114 Email Collection
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1114 Email Collection
attribute.confidentiality.data_disclosure Confirmed or potential data disclosure related-to T1114 Email Collection

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1114.001 Local Email Collection 1
T1114.003 Email Forwarding Rule 2
T1114.002 Remote Email Collection 1