T1114: Email Collection

Email is often where sensitive business context lives: negotiations, personal information, trade secrets, credentials-adjacent content, and incident response discussions. T1114 matters because an adversary who can collect or forward email may gain intelligence that helps them understand the organization, monitor response activity, or continue collecting information even after initial access is addressed.

Executive priority

Treat email collection as a high-value data exposure and incident-management risk, not only a mailbox issue. Leaders should ask whether critical mail systems and local mail stores are covered by MFA, auditing, encryption, and out-of-band incident communications. The business decision point is whether the organization can prove who accessed mail, what forwarding or collection paths exist, and whether response teams can communicate safely if normal email is suspected compromised.

Technical view

ATT&CK lists this technique under Collection across Windows, macOS, Linux, and Office Suite environments, with sub-techniques for local email collection, remote email collection, and email forwarding rules. SOC and IR teams should validate coverage for local mail artifacts, mail server or cloud mailbox access, and creation or modification of forwarding rules. Relationship context identifies DET0476, Email Collection via Local Email Access and Auto-Forwarding Behavior, as a detection strategy, and mitigations including MFA, encryption of sensitive information, auditing, and out-of-band communications.

Likely telemetry

Mailbox access and authentication logs for Office Suite or mail server environments
Email forwarding rule creation, modification, and deletion events
Mailbox audit logs showing message access, search, export, or unusual access patterns where available
Endpoint file telemetry for local email stores or caches on Windows, macOS, and Linux where applicable
Administrative audit logs for mail configuration changes

Detection direction

Confirm that mailbox auditing and administrative auditing are enabled and retained long enough to support investigations.
Tune detections for unusual forwarding-rule behavior, especially rules that silently redirect, copy, or hide messages.
Correlate mailbox access with identity signals such as MFA status, new locations, new devices, or abnormal access timing where those logs are available.
Include local email collection paths in endpoint investigations, not only cloud mailbox access.
Account for false positives from legitimate delegates, compliance exports, mailbox migrations, journaling, and user-created forwarding rules.

Mitigation priorities

Prioritize MFA for critical email and administrative access, consistent with M1032.
Enable and regularly review audit logging for mailbox access, forwarding changes, and mail administration, consistent with M1047.
Protect sensitive email content and local mail data with appropriate encryption controls, consistent with M1041.
Establish secure out-of-band communications for incident response so adversaries monitoring email cannot observe response actions, consistent with M1060.
Review and govern forwarding rules, delegated access, and mail access paths as part of identity and access management control assurance.

Analyst notes and limits

The relationship set shows use of this technique by multiple groups and software entries, but this take does not infer current activity or exposure for any specific organization. The most decision-useful validation is whether the organization can detect both remote mailbox collection and persistent forwarding behavior, while also preserving IR communications outside normal email.

The official ATT&CK object does not provide a detection section. Detection and telemetry guidance here is derived from the technique description, platforms, sub-technique relationships, DET0476 relationship, and listed mitigations. Local mail architecture, logging configuration, retention, and identity controls are required to determine actual coverage.

Official MITRE ATT&CK definition

Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.[1][2] Adversaries can collect or forward email from mail servers or clients.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1114.002	Remote Email Collection Sub-technique	Remote Email Collection subtechnique of this object.
Enterprise	T1114.003	Email Forwarding Rule Sub-technique	Email Forwarding Rule subtechnique of this object.
Enterprise	T1114.001	Local Email Collection Sub-technique	Local Email Collection subtechnique of this object.

Associated objects

Groups, software, and campaigns

G1003: Ember Bear

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]

G0122: Silent Librarian

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).[1][2][3]

G0059: Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

G1015: Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]

S0367: Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[1]

Windows

S1201: TRANSLATEXT

TRANSLATEXT is malware that is believed to be used by Kimsuky.[1] TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.[1]

Windows

Relationship explorer

All related ATT&CK context

uses · Group G1003: Ember Bear Enterprise mitigates · Mitigation M1032: Multi-factor Authentication Enterprise subtechnique of · Technique T1114.002: Remote Email Collection Enterprise uses · Group G0122: Silent Librarian Enterprise detects · Detection Strategy DET0476: Email Collection via Local Email Access and Auto-Forwarding Behavior Enterprise subtechnique of · Technique T1114.003: Email Forwarding Rule Enterprise uses · Malware S0367: Emotet Enterprise uses · Group G0059: Magic Hound Enterprise uses · Malware S1201: TRANSLATEXT Enterprise mitigates · Mitigation M1060: Out-of-Band Communications Channel Enterprise mitigates · Mitigation M1041: Encrypt Sensitive Information Enterprise mitigates · Mitigation M1047: Audit Enterprise subtechnique of · Technique T1114.001: Local Email Collection Enterprise uses · Group G1015: Scattered Spider Enterprise

Mitigations

Mitigation direction

M1032: Multi-factor Authentication

Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:

- *Something you know*: Passwords, PINs. - *Something you have*: Physical tokens, smartphone authenticator apps. - *Something you are*: Biometric data such as fingerprints, facial recognition, or retinal scans.

Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:

Identity and Access Management (IAM):

- Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles. - Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations). - Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.

Authentication Tools and Methods:

- Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP). - Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security. - Enforce biometric authentication for compatible devices and applications.

Secure Legacy Systems:

- Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet. - Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.

Monitoring and Alerting:

- Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems. - Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.

Training and Policy Enforcement:

- Educate employees on the importance of MFA and secure authenticator usage. - Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.

M1060: Out-of-Band Communications Channel

Establish secure out-of-band communication channels to ensure the continuity of critical communications during security incidents, data integrity attacks, or in-network communication failures. Out-of-band communication refers to using an alternative, separate communication path that is not dependent on the potentially compromised primary network infrastructure. This method can include secure messaging apps, encrypted phone lines, satellite communications, or dedicated emergency communication systems. Leveraging these alternative channels reduces the risk of adversaries intercepting, disrupting, or tampering with sensitive communications and helps coordinate an effective incident response.[1][2]

M1041: Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:

Encrypt Data at Rest:

- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.6
Created: May 31, 2017, 21:31 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:48 UTC (UTC+00:00)
Raw hash: 02eca8059766d73d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.6	Oct 24, 2025, 17:48 UTC (UTC+00:00)	Current bundle	`02eca8059766…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
TrustedSec OOB Communications

Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.
Open source URL
[2]
CISA AA20-352A 2021

CISA. (2021, April 15). Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. Retrieved August 30, 2024.
Open source URL
[3]
Microsoft Tim McMichael Exchange Mail Forwarding 2

McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.
Open source URL
[4]
mitre-attack T1114
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams