Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0476: Email Collection via Local Email Access and Auto-Forwarding Behavior

This detection strategy is about finding email collection behavior, especially where access to local mail data or auto-forwarding may expose sensitive busi...

EnterpriseDET0476Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about finding email collection behavior, especially where access to local mail data or auto-forwarding may expose sensitive business communications. For leaders, the practical issue is that email often contains confidential data, personal information, and sometimes details about ongoing incident response activity. If visibility into mailbox access and forwarding behavior is weak, an organization may miss early evidence that sensitive communications are being collected or redirected.

Executive priority

Treat this as a control-validation priority for organizations that rely heavily on email for executive communications, legal matters, customer data, security operations, or incident response coordination. The business question is not simply whether email security tools exist, but whether teams can prove they monitor suspicious mailbox access and forwarding behavior across the relevant enterprise platforms associated with Email Collection: Windows, macOS, Linux, and Office Suite environments. This also supports audit and incident-readiness discussions because email access and forwarding evidence may be central to determining data exposure.

Technical view

The supplied ATT&CK object is a detection strategy, DET0476, that detects T1114 Email Collection. MITRE did not provide an official detection description or platform list for the detection strategy itself, so SOC and detection teams should anchor validation to the related technique context: collection of user email and forwarding of email from mail services. Validate whether telemetry can show unusual mailbox access, local email data access, creation or modification of forwarding behavior, and access to mail content from endpoints or office suite services. Detection engineering should avoid assuming full coverage until local data sources, retention, and alert logic are confirmed.

Likely telemetry

  • Mailbox audit logs showing access to mail items and mailbox configuration changes
  • Email forwarding rule and auto-forwarding configuration events
  • Office suite administrative and user activity logs related to mailbox access or mail flow changes
  • Endpoint file and process telemetry where local email stores or mail client data may be accessed
  • Authentication logs for accounts accessing email services, especially unusual source, timing, or volume patterns

Detection direction

  • Validate alerting for creation or modification of inbox rules, transport rules, or auto-forwarding behavior, with tuning for legitimate delegation and business workflows.
  • Correlate mailbox access events with authentication context, endpoint activity, and user baseline behavior to reduce false positives.
  • Confirm visibility across the related Email Collection platforms supplied by ATT&CK: Windows, macOS, Linux, and Office Suite, where applicable to the environment.
  • Pay special attention to privileged, executive, legal, finance, and security-team mailboxes because email may contain sensitive data and incident response details.
  • Review blind spots caused by limited mailbox audit retention, disabled audit logging, unmanaged mail clients, local email archives, or forwarding paths outside normal mail-flow monitoring.

Mitigation priorities

  • Ensure mailbox auditing and relevant office suite activity logging are enabled and retained long enough to support investigations.
  • Restrict and monitor external auto-forwarding and forwarding rule creation according to business need.
  • Apply strong identity controls for email access, including least privilege and review of delegated mailbox permissions.
  • Establish incident response procedures for quickly preserving mailbox audit logs, forwarding configurations, and authentication history.
  • Use security awareness, administrative review, and periodic control testing to confirm that legitimate forwarding workflows are documented and unauthorized changes are detectable.
Analyst notes and limits

DET0476 is an ATT&CK detection strategy object for Email Collection via Local Email Access and Auto-Forwarding Behavior. The supplied object has no official MITRE description or detection text, so this take is derived from the object name, external reference, and the relationship indicating that it detects T1114 Email Collection. The related technique context supports focus on sensitive email content, incident response communications, collection tactics, and the listed platforms.

The detection strategy itself does not specify platforms, tactics, data sources, analytics, or official detection logic. Local architecture determines what telemetry is available, especially across hosted office suites, endpoint mail clients, and mail server configurations. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Email Collection via Local Email Access and Auto-Forwarding Behavior

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1114 Email Collection This object detects Email Collection.
Relationship explorer

All related ATT&CK context

detects · Technique T1114: Email Collection Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ec157a78ca2098d5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ec157a78ca20…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0476
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use