Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1114.001: Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.[1] IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.[2]

EnterpriseT1114.001Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Local Email Collection matters because email caches on Windows endpoints can contain large volumes of sensitive business content even when the mailbox itself is protected in the cloud or on a mail server. Outlook .ost and .pst files may expose executive communications, legal or financial material, personal information, incident response discussions, and operational details if an adversary gains local access to a workstation.

Executive priority

Treat this as an endpoint data-exposure and incident-readiness issue, not only an email-security issue. Leaders should ask whether high-risk Windows users store Outlook data locally, whether sensitive data at rest is encrypted, whether SOC teams can see unusual access to Outlook data files, and whether incident teams have out-of-band communications available if email confidentiality is in question. The relationship history includes multiple espionage groups, campaigns, and malware families using this behavior, which supports prioritizing it for sensitive roles and regulated data environments.

Technical view

This is a Windows collection sub-technique under Email Collection. Defensive validation should focus on access to Outlook local data files, especially .ost and .pst files typically located under C:\Users\<username>\Documents\Outlook Files and C:\Users\<username>\AppData\Local\Microsoft\Outlook. Because MITRE does not provide an official detection paragraph for this object, teams should use the related detection strategy, DET0047, as direction: detect Outlook data file access and command-line tooling patterns around those files. IR playbooks should treat suspicious access to local mail stores as potential collection of sensitive content, especially on executive, finance, legal, administrator, and incident response workstations.

Likely telemetry

  • Endpoint file access telemetry for .ost and .pst files in common Outlook storage paths
  • Process creation and command-line telemetry involving file discovery, copying, compression, staging, or access to Outlook data files
  • Endpoint detection and response alerts or file activity events on Windows user profile directories
  • Windows host inventory showing where Outlook cached mode or local Outlook data files are present
  • Data-at-rest encryption status for Windows endpoints and sensitive user profiles

Detection direction

  • Validate that file access monitoring covers common Outlook .ost and .pst locations under user profiles, not only mail-server or cloud-mail audit logs.
  • Tune for unusual processes, scripts, remote access tools, or command-line utilities accessing Outlook data files, while accounting for legitimate Outlook, backup, indexing, eDiscovery, or migration activity.
  • Prioritize detections on high-value users and systems where local mail content would materially affect legal, financial, executive, operational, or incident response confidentiality.
  • Use the related DET0047 context to test visibility for Outlook data file access plus command-line tooling, but do not assume coverage exists without endpoint telemetry validation.
  • Correlate local email data access with broader collection, staging, or exfiltration indicators during investigations.

Mitigation priorities

  • Reduce the business need for sensitive email to persist locally where feasible, especially for high-risk roles.
  • Apply encryption for sensitive information at rest as represented by M1041, including Windows endpoint storage protections where appropriate.
  • Maintain secure out-of-band communications channels as represented by M1060 so incident response does not depend solely on potentially exposed email.
  • Review endpoint hardening, access controls, and monitoring for user profile directories containing Outlook data files.
  • Include local Outlook data stores in tabletop exercises, evidence collection plans, and compliance discussions involving sensitive data handling.
Analyst notes and limits

This object is a sub-technique of T1114 Email Collection and is limited to Windows in the supplied ATT&CK fields. The relationships show use by multiple groups, a campaign, and software including Carbanak, CosmicDuke, Crimson, Pupy, Smoke Loader, Empire, Emotet, KGH_SPY, Out1, QakBot, and LunarMail; this supports broad defensive relevance but does not prove current activity in any specific environment.

MITRE provides no official detection text for this technique in the supplied fields. Detection guidance here is derived from the object description, file paths, platforms, tactics, the DET0047 relationship name, and mitigation relationships. Local validation is required to determine whether Outlook data files exist, whether telemetry captures access to them, and whether observed access is legitimate.

Official MITRE ATT&CK definition

Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.[1] IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1114 Email Collection This object subtechnique of Email Collection.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0090: WIRTE

WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]

Group Enterprise

G1039: RedCurl

RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.[1] RedCurl is allegedly a Russian-speaking threat actor.[1][2] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.

Group Enterprise

G1041: Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]

Group Enterprise

G0006: APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

Group Enterprise

G0114: Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[1][2]

Group Enterprise

G0059: Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

Group Enterprise

G1054: MirrorFace

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]

Group Enterprise

G1035: Winter Vivern

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.[1][2][3][4][5]

Malware Enterprise

S0226: Smoke Loader

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]

Windows
Malware Enterprise

S0650: QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

Windows
Tool Enterprise

S0192: Pupy

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [1] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [1] Pupy is publicly available on GitHub. [1]

LinuxWindowsmacOS
Malware Enterprise

S0030: Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [1] [2]

Windows
Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Malware Enterprise

S0526: KGH_SPY

KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing "KGH".[1]

Windows
Malware Enterprise

S0367: Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[1]

Windows
Campaign Enterprise

C0002: Night Dragon

Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]

Relationship explorer

All related ATT&CK context

uses · Malware S1142: LunarMail Enterprise uses · Group G0090: WIRTE Enterprise uses · Group G1039: RedCurl Enterprise mitigates · Mitigation M1060: Out-of-Band Communications Channel Enterprise uses · Malware S0226: Smoke Loader Enterprise uses · Malware S0650: QakBot Enterprise uses · Group G1041: Sea Turtle Enterprise uses · Tool S0192: Pupy Enterprise uses · Malware S0030: Carbanak Enterprise uses · Group G0006: APT1 Enterprise detects · Detection Strategy DET0047: Detect Local Email Collection via Outlook Data File Access and Command Line Tooling Enterprise uses · Malware S0115: Crimson Enterprise uses · Campaign C0002: Night Dragon Enterprise uses · Tool S0363: Empire Enterprise uses · Group G0114: Chimera Enterprise uses · Malware S0526: KGH_SPY Enterprise uses · Group G0059: Magic Hound Enterprise uses · Malware S0050: CosmicDuke Enterprise uses · Tool S0594: Out1 Enterprise uses · Group G1054: MirrorFace Enterprise uses · Group G1035: Winter Vivern Enterprise uses · Malware S0367: Emotet Enterprise subtechnique of · Technique T1114: Email Collection Enterprise mitigates · Mitigation M1041: Encrypt Sensitive Information Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1060: Out-of-Band Communications Channel

Establish secure out-of-band communication channels to ensure the continuity of critical communications during security incidents, data integrity attacks, or in-network communication failures. Out-of-band communication refers to using an alternative, separate communication path that is not dependent on the potentially compromised primary network infrastructure. This method can include secure messaging apps, encrypted phone lines, satellite communications, or dedicated emergency communication systems. Leveraging these alternative channels reduces the risk of adversaries intercepting, disrupting, or tampering with sensitive communications and helps coordinate an effective incident response.[1][2]

Mitigation Enterprise

M1041: Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:

Encrypt Data at Rest:

- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
8f415f6ccdd953f5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 8f415f6ccdd9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Outlook File Sizes

    N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020.

    Open source URL
  2. [2]
    Microsoft Outlook Files

    Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020.

    Open source URL
  3. [3]
    mitre-attack T1114.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use