T1114.002: Remote Email Collection
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
microsoft_exchange: PT-CR-494: Exchange_PST_upload_via_Administrator: Attempt to upload PST files via Exchange shell and delete information about it microsoft_exchange: PT-CR-2763: Exchange_ActiveSync_Emails_Access_via_PEAS: Downloading the contents of the mailbox of a user, whose credentials were previously obtained, by using the Microsoft ActiveSync function for synchronization with the Exchange mail server
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
---|
ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | In Office365 environments, consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior. |
---|
ID | DS0028 | Data source and component | Logon Session: Logon Session Creation | Description | Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account). |
---|
Mitigation
ID | M1041 | Name | Encrypt Sensitive Information | Description | Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
---|
ID | M1032 | Name | Multi-factor Authentication | Description | Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
---|