# T1114.002 Remote Email Collection

-----------------------------------------------------------------------

## Technique Description

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.

## Technique Detection

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Office 365

  * Windows

  * Google Workspace

### Data Sources:

  * **Network Traffic:** Network Connection Creation

  * **Command:** Command Execution

  * **Logon Session:** Logon Session Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used web shells to export mailbox data.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) collected emails from specific individuals, such as executives and IT staff, using <code>New-MailboxExportRequest</code> followed by <code>Get-MailboxExportRequest</code>.(Citation: Volexity SolarWinds)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has harvested data from remote mailboxes including through execution of <code>\\<hostname>\c$\Users\<username>\AppData\Local\Microsoft\Outlook*.ost</code>.(Citation: NCC Group Chimera January 2021)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.(Citation: KISA Operation Muzabi)| 
| FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has accessed and hijacked online email communications using stolen credentials.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)| 
| Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used a tool called MailSniper to search through the Exchange server mailboxes for keywords.(Citation: Symantec Leafminer July 2018)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has accessed email accounts using Outlook Web Access.(Citation: US-CERT TA18-074A)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) collected emails from specific individuals, such as executives and IT staff, using <code>New-MailboxExportRequest</code> followed by <code>Get-MailboxExportRequest</code>.(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has collected emails from victim Microsoft Exchange servers.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1114/002)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 7 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Servando Quinones

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries may attempt to collect emails from Microsoft Exchange servers after acquiring user credentials. After successful access to a Microsoft Exchange server we suspect adversaries will attempt to exfiltrate data and possibly load unauthorized software to the server. Close attention should be paid to accounts logging into the exchange server especially privileged accounts (Exchange Admins).

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 |   | 1, 2, 3 |

## Detection Blindspots

- Logon with legitimate credentials can obfuscate malicious activity.
- Encrypted email traffic can hide malicious activity.

## Analytical References

  * [WP-Pawn-Storm 2019 (trendmicro)](https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf)
  * [Justice.gov Indicment](https://www.justice.gov/file/1080281/download)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- APT28 has previously accessed Microsoft Exchange servers with valid credentials gained from phishing and brute force attacks.
- After successful access to a Microsoft Exchange server we suspect APT 28 will attempt to exfiltrate data and possibly load unauthorized software to the server.
- Analyze exchange clients sending significantly more data than it receives from an external server.
- Close attention should be paid to accounts logging into the exchange server especially privileged accounts (Exchange Admins).

#### Analytic 1

  * **Information:** Identify failed logon attempts

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** Filter on hosts. Identify if there was a succesfful logon after many failed attempts.

  * **Query:** ```Event_ID: 4625```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- APT28 has previously accessed Microsoft Exchange servers with valid credentials gained from phishing and brute force attacks.
- Analyze exchange clients sending significantly more data than it receives from an external server.
- Keep close attention to email that may convey the following: 
    - Subjects which convey a sense of urgency
    - Subjects which try to scare us or tempt us with something illicit
    - Subject lines which donâ€™t match the content of the message
    - Strange wording, poor grammar, misspellings, and odd capitalization
    - Emails which appear to be replies to messages we never sent


#### Analytic 1 (APT 28)

  * **Information:** Identify email traffic seen across the network to assist in locating exchange servers and email services. Identify login activity from anomalous sources/locations

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** There are a variety of email protocols that may be used across a network. (pop3, imap, smtp, etc.) Communicate with the mission partner as to what email protocols they use and begin validating from there to identify email/exchange servers and services. Filter out identified mission partner network scanners. Export Unique Source IPs communicating with email servers and services and check for anomalies (large data transfers, compressed files, etc.). It is possible a web based email service is running over HTTPS on destination port 443. This will generate alot of network traffic and filtering appropriatly will be required.

  * **Query Arkime:** ```port.dst == [110,146,465,587,993,995] || protocols == smtp && ip.dst ==<exchange server ip>```

  * **Query Arkime:** ```port.dst == [110,146,465,587,993,995] || protocols == smtp && ip.dst ==<exchange server ip> && email.md5 == EXISTS! && databytes == EXISTS```

  * **Query Kibana:** ```dstport:(110 or 146 or 465 or 587 or 993 or 95) OR protocol: smtp AND dstIp: <exchange server ip>```

#### Analytic 2 (APT 28)

  * **Information:** Identify possible compressed files/attachments leaving a mail server and databytes transferred. Filter databytes (largest to smallest on Arkime dropdown). Identify possible remote email collection by filtering out email ports and protocols, this will assist in scoping the network traffic and make
it easier to identify possible anomalies. Reverse the query to set the exchange server as a source to see who it is communicating
with, attention being paid to databyte size and destination ips.

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Identify external connections, databytes transfers, and possible association of files leaving the network. Some email services will use HTTPS over port 443, this may make identifying this TTP difficult as normal network traffic also runs over this port, filtering network traffic will be key to identifying malicious activity.

  * **Query Arkime:** ```protocols == smtp || port.dst==[110,146,443,465,587,993,995] && ip.dst == <exchange server ip> && email.md5 == EXISTS!```
  * **Query Arkime:** ```port.dst == [110,146,443,465,587,993,995] || protocols == smtp && ip.dst ==<exchange server ip> && email.md5 == EXISTS! && databytes == EXISTS!```
  
  * **Query Kibana:** ```email.md5: * AND email.dst: * AND dstDataBytes: *```

### Analytics 3 (APT 28)
   * **Information:** Identify host that may be collecting emails or have large attachemts within them with possible connections to external resources. 

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:**  Forwarded email may not be indicative of malicious activity but where the emails may be forwarded to and databytes being sent should be investigated. Attention should be paid to email subjects and email destinations. High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level. Adjust the key words "forward" and "forwarded" to eliminate unwatned traffic. 

  * **Query Arkime:** ```protocols == smtp && email.has-header.value == [*forward, *forwarded] && email.md5 == EXISTS!```
  
  * **Query Kibana:** ```protocol: smtp AND email.headerValue : (*forward OR *forwarded) AND email.md5: *```
