T1114.002 Remote Email Collection Mappings

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1114.002 Remote Email Collection
AC-17 Remote Access Protects T1114.002 Remote Email Collection
AC-19 Access Control for Mobile Devices Protects T1114.002 Remote Email Collection
AC-20 Use of External Systems Protects T1114.002 Remote Email Collection
AC-3 Access Enforcement Protects T1114.002 Remote Email Collection
AC-4 Information Flow Enforcement Protects T1114.002 Remote Email Collection
CM-2 Baseline Configuration Protects T1114.002 Remote Email Collection
CM-6 Configuration Settings Protects T1114.002 Remote Email Collection
IA-2 Identification and Authentication (organizational Users) Protects T1114.002 Remote Email Collection
IA-5 Authenticator Management Protects T1114.002 Remote Email Collection
SI-12 Information Management and Retention Protects T1114.002 Remote Email Collection
SI-4 System Monitoring Protects T1114.002 Remote Email Collection
SI-7 Software, Firmware, and Information Integrity Protects T1114.002 Remote Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1114.002 Email Collection: Remote Email Collection