T1114.002 Remote Email Collection Mappings

Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1114.002 Remote Email Collection
AC-17 Remote Access Protects T1114.002 Remote Email Collection
AC-19 Access Control for Mobile Devices Protects T1114.002 Remote Email Collection
AC-20 Use of External Systems Protects T1114.002 Remote Email Collection
AC-3 Access Enforcement Protects T1114.002 Remote Email Collection
AC-4 Information Flow Enforcement Protects T1114.002 Remote Email Collection
CM-2 Baseline Configuration Protects T1114.002 Remote Email Collection
CM-6 Configuration Settings Protects T1114.002 Remote Email Collection
IA-2 Identification and Authentication (organizational Users) Protects T1114.002 Remote Email Collection
IA-5 Authenticator Management Protects T1114.002 Remote Email Collection
SI-12 Information Management and Retention Protects T1114.002 Remote Email Collection
SI-4 System Monitoring Protects T1114.002 Remote Email Collection
SI-7 Software, Firmware, and Information Integrity Protects T1114.002 Remote Email Collection
azure_sentinel Azure Sentinel technique_scores T1114.002 Remote Email Collection
Comments
The Azure Sentinel Hunting "Suspect Mailbox Export on IIS/OWA" query can identify potential malicious exfiltration hosting via IIS. The Azure Sentinel Hunting "Host Exporting Mailbox and Removing Export" query can identify potential exfiltration of data from Exchange servers. The coverage for these queries is minimal resulting in an overall Minimal score.
References