Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0048: Detect Remote Email Collection via Abnormal Login and Programmatic Access

This detection strategy matters because it points defenders toward abnormal logins and programmatic access as signals of possible remote email collection....

EnterpriseDET0048Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it points defenders toward abnormal logins and programmatic access as signals of possible remote email collection. Even though the ATT&CK object does not include a detailed description or detection logic, its relationship to T1114.002 makes the business issue clear: email systems often hold sensitive business, legal, financial, and operational information, and compromised credentials or tokens can let an adversary collect that data remotely through Exchange, Office 365, or Google Workspace-style access paths.

Executive priority

Treat this as an identity, email security, and SOC readiness priority. Leaders should ask whether the organization can prove who accessed mailboxes, from where, by what method, and at what volume. This is especially important for incident scoping, regulatory evidence, insider-risk investigations, and business continuity decisions after suspected credential compromise. Budget and control decisions should prioritize mailbox auditability, abnormal login detection, and visibility into automated or non-interactive email access.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around the related ATT&CK technique T1114.002 Remote Email Collection under the collection tactic. The supplied relationship context identifies Exchange, Office 365, and Google Workspace-style remote email access using credentials or access tokens, including automated searching tools. Because the detection object has no official detection text, teams should build local logic around abnormal authentication patterns, unusual mailbox access, and programmatic access indicators, then test that telemetry is retained and usable during investigations.

Likely telemetry

  • Identity provider sign-in logs, including successful and failed logins
  • Mailbox audit logs showing message, folder, search, export, or access activity
  • Cloud email service audit logs for Exchange, Office 365, or Google Workspace-equivalent environments where applicable
  • Token and session activity, including non-interactive or refresh-token-based access where available
  • Client application, protocol, user agent, IP address, geolocation, and device context associated with email access

Detection direction

  • Validate that abnormal login analytics include impossible travel, unfamiliar locations, new devices, suspicious client applications, and unusual access times, while accounting for legitimate travel and VPN behavior.
  • Correlate authentication events with mailbox access activity; a login alone is weaker than a login followed by unusual search, enumeration, or bulk access patterns.
  • Differentiate normal automation, eDiscovery, backup, migration, compliance journaling, and administrative activity from suspicious programmatic collection.
  • Confirm that audit logging is enabled and retained long enough to support incident response and compliance evidence needs.
  • Tune detections for credentials or token misuse, especially where access occurs without clear endpoint compromise evidence.

Mitigation priorities

  • Prioritize strong identity controls for email access, including phishing-resistant authentication where feasible and conditional access policies appropriate to the environment.
  • Restrict or monitor legacy, high-risk, or unnecessary email access methods and client applications based on organizational requirements.
  • Ensure mailbox auditing and cloud email audit logging are enabled, centralized, and retained for investigation and audit needs.
  • Apply least privilege to administrative, eDiscovery, export, and mailbox access roles.
  • Review token/session management controls and incident response procedures for suspected credential or access-token compromise.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy named Detect Remote Email Collection via Abnormal Login and Programmatic Access, but it does not include an official description, official detection text, tactics, or platforms. The most useful context comes from its detects relationship to T1114.002 Remote Email Collection, which is associated with the collection tactic and Office Suite/Windows platform context. Glexia should present this as a coverage validation and readiness topic rather than as a complete ATT&CK-provided analytic.

This take is constrained by sparse official fields. It does not assert active exploitation, attribution, specific vendor coverage, or guaranteed detectability. Local environment architecture, email platform configuration, logging settings, retention, and identity controls are required to determine actual coverage.

Official MITRE ATT&CK definition

Detect Remote Email Collection via Abnormal Login and Programmatic Access

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1114.002 Remote Email Collection Sub-technique This object detects Remote Email Collection.
Relationship explorer

All related ATT&CK context

detects · Technique T1114.002: Remote Email Collection Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4ee030b8ff795b2d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4ee030b8ff79…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0048
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use