T1114.001 Local Email Collection Mappings

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citation: Microsoft Outlook Files)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1114.001 Local Email Collection
AC-17 Remote Access Protects T1114.001 Local Email Collection
AC-19 Access Control for Mobile Devices Protects T1114.001 Local Email Collection
AC-20 Use of External Systems Protects T1114.001 Local Email Collection
AC-4 Information Flow Enforcement Protects T1114.001 Local Email Collection
SI-12 Information Management and Retention Protects T1114.001 Local Email Collection
SI-4 System Monitoring Protects T1114.001 Local Email Collection
SI-7 Software, Firmware, and Information Integrity Protects T1114.001 Local Email Collection
CVE-2020-9819 iOS uncategorized T1114.001 Local Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1114.001 Email Collection: Local Email Collection