T1114.002 · collection · 12 actors · 0 correlated reports

Remote Email Collection

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

Observed actors

Kimsuky
G0094 Dragonfly
G0035 HAFNIUM
G0125 Leafminer
G0077 Ke3chang
G0004 APT1
G0006 APT29
G0016 Chimera
G0114 Star Blizzard
G1033 APT28
G0007 FIN4
G0085 Magic Hound
G0059

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research