1. Home
  2. Techniques
  3. Enterprise
  4. Email Collection
  5. Remote Email Collection

Email Collection: Remote Email Collection

ID Name
T1114.001 Local Email Collection
T1114.002 Remote Email Collection
T1114.003 Email Forwarding Rule

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

Angreifer können es auf einen Exchange-Server, Office 365 oder Google Workspace abgesehen haben, um sensible Informationen zu sammeln. Angreifer können die Anmeldeinformationen eines Benutzers ausnutzen und direkt mit dem Exchange-Server interagieren, um Informationen innerhalb eines Netzwerks zu erhalten. Angreifer können auch auf externe Exchange-Dienste, Office 365 oder Google Workspace zugreifen, um mithilfe von Anmeldeinformationen oder Zugriffstokens auf E-Mails zuzugreifen. Tools wie [MailSniper] (/software/S0413) können verwendet werden, um die Suche nach bestimmten Schlüsselwörtern zu automatisieren.

Les adversaires peuvent cibler un serveur Exchange, Office 365 ou Google Workspace pour collecter des informations sensibles. Les adversaires peuvent tirer parti des informations d'identification d'un utilisateur et interagir directement avec le serveur Exchange pour acquérir des informations depuis un réseau. Les adversaires peuvent également accéder à des services Exchange, Office 365 ou Google Workspace tournés vers l'extérieur pour accéder aux e-mails à l'aide d'informations d'identification ou de jetons d'accès. Des outils tels que [MailSniper] (/software/S0413) peuvent être utilisés pour automatiser les recherches de mots-clés spécifiques.

Gli avversari possono prendere di mira un server Exchange, Office 365 o Google Workspace per raccogliere informazioni sensibili. Gli avversari possono sfruttare le credenziali di un utente e interagire direttamente con il server Exchange per acquisire informazioni dall'interno di una rete. Gli avversari possono anche accedere a servizi Exchange, Office 365 o Google Workspace rivolti all'esterno per accedere alla posta elettronica usando credenziali o token di accesso. Si possono usare strumenti come MailSniper per automatizzare le ricerche di parole chiave specifiche.

Login
ID: T1114.002
Sub-technique of:  T1114
Tactic: Collection
Platforms: Google Workspace, Office 365, Windows
Version: 1.1
Created: 19 February 2020
Last Modified: 25 March 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
G0006 APT1

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[1]
G0007 APT28

APT28 has collected emails from victim Microsoft Exchange servers.[2][3]
G0016 APT29

APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.[4][5]
G0114 Chimera

Chimera has harvested data from remote mailboxes including through execution of \\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.[6]
G0074 Dragonfly 2.0

Dragonfly 2.0 accessed email accounts using Outlook Web Access.[7]
G0085 FIN4

FIN4 has accessed and hijacked online email communications using stolen credentials.[8][9]
G0125 HAFNIUM

HAFNIUM has used web shells to export mailbox data.[10][11]
G0004 Ke3chang

Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[12]
G0077 Leafminer

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[13]
S0395 LightNeuron

LightNeuron collects Exchange emails matching rules specified in its configuration.[14]
S0413 MailSniper

MailSniper can be used for searching through email in Exchange and Office 365 environments.[15]
S0053 SeaDuke

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[16]
S0476 Valak

Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.[17]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
M1032 Multi-factor Authentication

Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0029 Network Traffic Network Connection Creation

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

Überwachen Sie auf ungewöhnliche Anmeldeaktivitäten von unbekannten oder ungewöhnlichen Orten aus, insbesondere bei privilegierten Konten (z.B. Exchange-Administratorkonto).

Surveillez les activités de connexion inhabituelles à partir d'emplacements inconnus ou anormaux, en particulier pour les comptes privilégiés (ex : compte administrateur Exchange).

Controlli l'attività di login insolita da luoghi sconosciuti o anormali, specialmente per gli account privilegiati (es: account amministratore di Exchange).

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  3. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  4. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  5. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  6. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  7. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  8. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  9. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  1. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  2. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  3. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  4. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  5. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  6. Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.
  7. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  8. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.