T1114.002 Remote Email Collection

Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

View in MITRE ATT&CK®

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_sentinel Azure Sentinel technique_scores T1114.002 Remote Email Collection
Comments
The Azure Sentinel Hunting "Suspect Mailbox Export on IIS/OWA" query can identify potential malicious exfiltration hosting via IIS. The Azure Sentinel Hunting "Host Exporting Mailbox and Removing Export" query can identify potential exfiltration of data from Exchange servers. The coverage for these queries is minimal resulting in an overall Minimal score.
References