- Home
- Techniques
- Enterprise
- Email Collection
- Remote Email Collection
Email Collection: Remote Email Collection
Other sub-techniques of Email Collection (3)
ID | Name |
---|---|
T1114.001 | Local Email Collection |
T1114.002 | Remote Email Collection |
T1114.003 | Email Forwarding Rule |
Adversaries may target an Exchange server or Office 365 to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
Procedure Examples
Name | Description |
---|---|
APT1 |
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[1] |
APT28 |
APT28 has collected emails from victim Microsoft Exchange servers.[2] |
Dragonfly 2.0 |
Dragonfly 2.0 accessed email accounts using Outlook Web Access.[3] |
FIN4 |
FIN4 has accessed and hijacked online email communications using stolen credentials.[4][5] |
Ke3chang |
Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[6] |
Leafminer |
Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[7] |
LightNeuron |
LightNeuron collects Exchange emails matching rules specified in its configuration.[8] |
MailSniper |
MailSniper can be used for searching through email in Exchange and Office 365 environments.[9] |
SeaDuke |
Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[10] |
UNC2452 |
UNC2452 collected emails from specific individuals, such as executives and IT staff, using |
Valak |
Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.[12] |
Mitigations
Mitigation | Description |
---|---|
Encrypt Sensitive Information |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
Multi-factor Authentication |
Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
Detection
Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).
References
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
- Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
- Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.