Email Collection (T1114) is a MITRE ATT&CK technique in the Collection tactic. SOC analysts detect it by monitoring for SIEM, XDR events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. Common methods include accessing local email files such as Outlook PST files, using Exchange Web Services or the Graph API to download emails programmatically, forwarding rules that redirect emails to attacker-controlled accounts, and accessing webmail interfaces using compromised credentials. Business email compromise (BEC) operations extensively use email collection to understand payment processes, executive communication styles, and identify impersonation opportunities. State-sponsored attackers target email for intelligence gathering, focusing on communications related to sensitive negotiations, policy positions, and confidential business strategies.
“Email Collection is documented as technique T1114 in the MITRE ATT&CK knowledge base under the Collection tactic. Detection requires visibility into SIEM, XDR telemetry.”
The following detection strategies help SOC analysts identify Email Collection activity. These methods apply across SIEM, XDR environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor Exchange and Office 365 audit logs for unusual email export operations, mailbox access by non-owners, and use of Exchange Web Services for bulk email retrieval from accounts with no administrative function.
Alert on email forwarding rule creation, particularly rules that forward messages to external email addresses or that use broad criteria to forward all messages or messages matching business-sensitive keywords.
Detect programmatic access to email APIs using service accounts or OAuth applications requesting broader mail permissions than typical business applications require, especially new application registrations.
Monitor for access to Outlook data files (PST, OST) by processes other than Outlook itself, as attackers may attempt to copy these files for offline analysis containing years of email communication history.
Alert on unusually large email downloads through webmail interfaces or sync clients that significantly exceed the user normal email activity baseline, which may indicate bulk collection prior to exfiltration.
These realistic alert examples show what Email Collection looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Office 365 audit log recorded creation of a new inbox rule for CFO account ceo@company.com that forwards all messages containing keywords "invoice", "payment", "wire transfer", and "bank" to an external Gmail address. This forwarding rule was created at 11:43 PM using the account after successful MFA bypass. The rule enables ongoing email monitoring and is a common precursor to BEC fraud.
Exchange Web Services audit log shows 34,000 email messages downloaded from the CEO mailbox over 2 hours using account svc_migration. This service account is authorized for mailbox migrations but no migration was scheduled. The downloaded emails were sent to an external system outside the migration infrastructure and include all communications for the past 3 years.
File copy event detected: Outlook.pst (8.4GB) copied from C:\Users\vp_sales\Documents to a network share and subsequently to an encrypted archive. The copy was performed by a background process that does not correspond to any legitimate application. This PST file contains 5 years of VP Sales email communications including customer negotiations and unreleased product roadmaps.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Email Collection. Build detection skills with zero consequences — free forever.
Data exfiltration is the unauthorized transfer of sensitive data from a victim environment to attacker-controlled infras…
Read more GlossaryData Loss Prevention (DLP) is a set of technologies and policies that detect and prevent unauthorized transmission, stor…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more GlossaryLog management is the process of collecting, normalizing, storing, retaining, and analyzing log data from across the IT …
Read more Career PathDFIR Analysts combine forensic investigation with incident response. You collect and analyze digital evidence from compr…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen financial staff receive urgent payment requests from executives or vendors, or when email rules are discovered forw…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read moreWe use cookies to improve your experience and measure usage. Learn more