Email Collection: Remote Email Collection, Sub-technique T1114.002 - Enterprise (original) (raw)
During the 2025 Poland Wiper Attacks, the adversaries leveraged stolen credentials within cloud services to gather data and email messages from Exchange services related to OT topics and technical work carried out within organizations.[1]
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[2]
APT28 has collected emails from victim Microsoft Exchange servers.[3][4]
APT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.[5][6]
Chimera has harvested data from remote mailboxes including through execution of \\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.[7]
Dragonfly has accessed email accounts using Outlook Web Access.[8]
FIN4 has accessed and hijacked online email communications using stolen credentials.[9][10]
HAFNIUM has used web shells and MSGraph to export mailbox data.[11][12][13]
During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[14]
Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.[15][16]
Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.[17]
Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[18]
LightNeuron collects Exchange emails matching rules specified in its configuration.[19]
Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet New-MailboxExportRequest.[20][21]
MailSniper can be used for searching through email in Exchange and Office 365 environments.[22]
Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[23]
During the SolarWinds Compromise, APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.[24][25]
Star Blizzard has remotely accessed victims' email accounts to steal messages and attachments.[26]
Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.[27]
VOID MANTICORE has gathered victim email-content from victim servers.[28]