t1114

T1114, commonly described as Email Collection, is a technique in the MITRE ATT&CK framework. It involves gathering email messages and attachments from compromised systems, often with the goal of exfiltrating sensitive information found in inboxes, sent items, or attachments. Adversaries may target local email clients or mail stores and may use standard email protocols or legitimate software to minimize suspicion.

Operationally, attackers can access email data stored by clients such as Microsoft Outlook or Mozilla Thunderbird,

Impact and context: Email collection can facilitate espionage, fraud, or larger data exfiltration campaigns by harvesting

Mitigation and defense: enforce strict access controls and least privilege for email data, monitor for unusual

Detection: look for large or unexpected mailbox exports, new or altered forwarding rules, scripts or tools accessing