Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.[1][2] Adversaries can collect or forward email from mail servers or clients.
| ID | Name | Description |
|---|---|---|
| G1003 | Ember Bear |
Ember Bear attempts to collect mail from accessed systems and servers.[3][4] |
| S0367 | Emotet |
Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[5][6][7] |
| G0059 | Magic Hound |
Magic Hound has compromised email credentials in order to steal sensitive data.[8] |
| G1015 | Scattered Spider |
Scattered Spider searched the victim’s Microsoft Exchange for emails about the intrusion and incident response.[9] |
| G0122 | Silent Librarian |
Silent Librarian has exfiltrated entire mailboxes from compromised accounts.[10] |
| S1201 | TRANSLATEXT |
TRANSLATEXT has exfiltrated collected email addresses to the C2 server.[11] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis. In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.[12] |
| M1041 | Encrypt Sensitive Information |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
| M1032 | Multi-factor Authentication |
Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
| M1060 | Out-of-Band Communications Channel |
Use secure out-of-band authentication methods to verify the authenticity of critical actions initiated via email, such as password resets, financial transactions, or access requests. For highly sensitive information, utilize out-of-band communication channels instead of relying solely on email to prevent adversaries from collecting data through compromised email accounts.[1] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0476 | Email Collection via Local Email Access and Auto-Forwarding Behavior | AN1309 |
Correlates creation of email forwarding rules or header anomalies (e.g., X-MS-Exchange-Organization-AutoForwarded) with suspicious process execution, file access of .pst/.ost files, and network connections to external SMTP servers. |
| AN1310 |
Detects file access to mbox/maildir files in conjunction with curl/wget/postfix execution, or anomalous shell scripts harvesting user mail directories. |
||
| AN1311 |
Monitors Mail.app database or maildir file access, automation via AppleScript, and abnormal mail rule creation using scripting or UI automation frameworks. |
||
| AN1312 |
Correlates unusual auto-forwarding rule creation via Exchange Web Services or Outlook rules engine, presence of X-MS-Exchange-Organization-AutoForwarded headers, and logon session anomalies from abnormal IPs. |