Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0047: Detect Local Email Collection via Outlook Data File Access and Command Line Tooling

DET0047 is a MITRE detection strategy for spotting local email collection through access to Outlook data files and command-line tooling. The business issue...

EnterpriseDET0047Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0047 is a MITRE detection strategy for spotting local email collection through access to Outlook data files and command-line tooling. The business issue is that locally cached mailbox data can contain sensitive communications, attachments, legal material, customer information, credentials, and operational context. Even when cloud mail controls are strong, endpoint-resident Outlook files can remain a collection path that SOC and IR teams need to validate.

Executive priority

Treat this as an endpoint data-protection and incident-readiness question: can the organization prove when local Outlook mail stores are accessed, copied, or manipulated in suspicious ways? Leaders should ask whether email security, endpoint monitoring, and IR playbooks cover local mailbox artifacts, not only cloud mailbox activity. This matters for breach scoping, audit evidence, legal exposure, and prioritizing controls around sensitive users and workstations.

Technical view

The detection strategy maps to ATT&CK T1114.001 Local Email Collection, a Collection technique on Windows. Because the DET0047 object provides no official description or detection logic, teams should validate coverage against the related behavior: access to Outlook local data/cache files such as .ost files, especially when paired with unusual command-line activity. Detection engineering should focus on file access, process execution, and user/workstation context rather than assuming cloud mail logs will show the activity.

Likely telemetry

  • Endpoint process creation telemetry with command-line arguments
  • File access or file modification telemetry for Outlook local data/cache files such as .ost files
  • User, host, and logon context for the workstation where Outlook data is stored
  • Endpoint detection and response alerts or raw events involving unusual command-line tooling near mail data paths
  • Case evidence linking local file activity to sensitive users or mail-heavy endpoints

Detection direction

  • Confirm whether Windows endpoint telemetry is collected for systems using Outlook local data files; the detection object itself does not specify platforms, but the related ATT&CK technique lists Windows.
  • Tune for suspicious access patterns to Outlook data files, especially non-Outlook processes, command-line utilities, or unusual parent/child process relationships interacting with mail-store locations.
  • Account for false positives from Outlook, indexing, backup, migration, eDiscovery, antivirus, and legitimate administrative tools that may read large local mail files.
  • Correlate file access with process execution and user context; file activity alone may be noisy, while command-line context can help separate routine client behavior from collection-like behavior.
  • Validate retention and fidelity before an incident: large local mail files can be copied quickly, and missing file/process telemetry will limit breach scoping.

Mitigation priorities

  • Inventory where local Outlook data files are used and which users or systems create the greatest data exposure.
  • Prioritize endpoint monitoring for sensitive users, shared workstations, and systems handling regulated or business-critical communications.
  • Limit unnecessary local mail caching where business requirements allow, and align endpoint hardening with least-privilege access to user data.
  • Ensure IR playbooks include local mailbox artifact review, endpoint containment decisions, and evidence preservation for file/process activity.
  • Document telemetry coverage and exceptions as compliance evidence for email data protection and incident response readiness.
Analyst notes and limits

This take is based on the DET0047 detection strategy metadata and its relationship to T1114.001 Local Email Collection. The DET0047 object has no official description, no official detection text, no tactics, and no platforms specified; practical guidance is therefore derived conservatively from the related ATT&CK technique description and relationship context.

No vendor logic, analytic syntax, data source list, or detection procedure was supplied. Local environment details—Outlook configuration, endpoint logging depth, EDR capabilities, backup/eDiscovery tooling, and retention—are required to determine actual coverage and alert quality.

Official MITRE ATT&CK definition

Detect Local Email Collection via Outlook Data File Access and Command Line Tooling

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1114.001 Local Email Collection Sub-technique This object detects Local Email Collection.
Relationship explorer

All related ATT&CK context

detects · Technique T1114.001: Local Email Collection Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
42192d0ef969d935...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 42192d0ef969…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0047
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use