# T1114 Email Collection

-----------------------------------------------------------------------

## Technique Description

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. 

## Technique Detection

There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.

File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.

Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.

Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include <code>X-MS-Exchange-Organization-AutoForwarded</code> set to true, <code>X-MailFwdBy</code> and <code>X-Forwarded-To</code>. The <code>forwardingSMTPAddress</code> parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the <code>X-MS-Exchange-Organization-AutoForwarded</code> header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Windows

  * Office 365

  * Google Workspace

  * macOS

  * Linux

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Command:** Command Execution

  * **Application Log:** Application Log Content

  * **Network Traffic:** Network Connection Creation

  * **Logon Session:** Logon Session Creation

  * **File:** File Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Silent Librarian | [Silent Librarian](https://attack.mitre.org/groups/G0122) has exfiltrated entire mailboxes from compromised accounts.(Citation: DOJ Iran Indictments March 2018)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has compromised email credentials in order to steal sensitive data.(Citation: Certfa Charming Kitten January 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1114)

  * [Microsoft Tim Mcmichael Exchange Mail Forwarding 2](https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/), McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres
  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- An adversary may attempt to collect emails from Microsoft Exchange servers after acquiring user credentials from a successful spearphishing attempt. After successful access to a Microsoft Exchange server we suspect the adversary will attempt to exfiltrate data and possibly load unauthorized software to the server. Close attention should be paid to accounts logging into the exchange server especially privileged accounts (Exchange Admins).

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
|  |  | |

#### APT28	
- APT28 has collected emails from victim Microsoft Exchange servers.

#### APT29	
- CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.
- Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.

#### Turla	
- Empire (used by Turla) has the ability to collect emails on a target system.
- LightNeuron collects Exchange emails matching rules specified in its configuration.

## Detection Blindspots

- Encrypted connections to and from the exchange server or web based email service may make detecting this TTP difficult.

## Analytical References

  * [Atomic Red Team (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md)
  * [Empire Project (github)](https://github.com/EmpireProject/Empire)
  * [ESET LightNeuron (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf)
  * [Symantic Enterprise (broadcom)](https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.
- Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.

#### Analytic 1

  * **Information:** File access of local system email files.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 10 AND TargetImage : *.edb or *.eml or *.emlx or *.ics or *.mbox or *.msg or *.oft or *.ost or *.pst or *.tnef or *.vcf```

#### Analytic 2

  * **Information:** With PowerShell being a highly utilized attack vector, look for cmdlets being used to collect emails such as Get-Inbox

  * **Source:** Winlogbeats

  * **Tool:** Kibana

  * **Notes:** High false positive rate.

  * **Query:** ```event.code : 4104```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- APT28 has previously accessed Microsoft Exchange servers with valid credentials gained from phishing and brute force attacks.
- Analyze exchange clients sending significantly more data than it receives from an external server.
- It may be possible to view emails that are being forwarded to other email addresses. This may not be indicative of malicious activity but should be reviewed.
- Validation with host logs will be needed to identify possible commands being run on or against an exchange server that the adversary may be using to forward, compress, and collect emails.
- Close attention should be paid to email subject lines as the adversary my try and disguise the email to look less suspecious if the communications are not encrpyted.


#### Analytic 1

  * **Information:** Identify email traffic seen across the network to assist in locating exchange servers and email services.

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** There are a variety of email protocols that may be used across a network. (pop3, imap, smtp, etc.) Communicate with the mission partner as to what email protocols they use and begin validating from there to identify email/exchange servers and services.

  * **Query Arkime:** ```protocols == smtp || port.dst == [110,146,465,587,993,995] ```
  * **Query Arkime:** ``````

#### Analytic 2

  * **Information:** Identify host that may be collecting emails or have large attachemts within them with possible connections to external resources. 

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Forwarded email may not be indicative of malicious activity but where the emails may be forwarded to and databytes being sent should be investigated. Attention should be paid to email subjects and email destinations. High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.

  * **Query Arkime:** ```protocols == smtp && email.has-header.value == Forward && email.md5 == EXISTS!```