Technique on mitre.org

T1114.002: Remote Email Collection

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

microsoft_exchange: PT-CR-494: Exchange_PST_upload_via_Administrator: Attempt to upload PST files via Exchange shell and delete information about it microsoft_exchange: PT-CR-2501: Exchange_Self_Mail_Search: A user collected many emails from an Exchange mailbox in a short period of time. This could be an attacker's attempt to escalate privileges after obtaining user credentials from the emails or discover sensitive information for a non-administrator user.

Detection

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections that are sent or received by untrusted hosts.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	In Office365 environments, consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.

ID	DS0028	Data source and component	Logon Session: Logon Session Creation	Description	Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.

ID	Data source and component	Description
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections that are sent or received by untrusted hosts.
DS0015	Application Log: Application Log Content	In Office365 environments, consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.
DS0028	Logon Session: Logon Session Creation	Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).
DS0017	Command: Command Execution	Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.

Mitigation

ID	M1041	Name	Encrypt Sensitive Information	Description	Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

ID	M1032	Name	Multi-factor Authentication	Description	Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.

ID	Name	Description
M1041	Encrypt Sensitive Information	Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
M1032	Multi-factor Authentication	Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.