T1114.001: Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB. IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

— Monitoring of process-start events where command line input contains the 'copy' command for .pst or .ost files commonly located at C:\Users<username>\Documents\Outlook Files or C:\Users<username>\AppData\Local\Microsoft\Outlook. — Monitoring of events related to PowerShell cmdlet execution where command line input contains 'Microsoft.Office.Interop.Outlook', 'olFolderInBox', 'Select-Object -Property'.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0022	Data source and component	File: File Access	Description	Monitor for unusual processes accessing local email files that may target user email on local systems to collect sensitive information.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

ID	Data source and component	Description
DS0022	File: File Access	Monitor for unusual processes accessing local email files that may target user email on local systems to collect sensitive information.
DS0017	Command: Command Execution	Monitor executed commands and arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Mitigation

ID	M1041	Name	Encrypt Sensitive Information	Description	Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

ID	Name	Description
M1041	Encrypt Sensitive Information	Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.