Preparation
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Impersonation
Increase Privileges
IT Ticketing System Exploration
Network Scanning
On-Screen Data Collection
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR015
- Created: 31st May 2024
- Updated: 17th August 2025
- Contributor: The ITM Team
Email Collection
A subject may target user email to collect sensitive information.
Subsections
ID | Name | Description |
---|---|---|
PR015.004 | Bulk Email Collection | A subject creates an email collection file such as a Personal Storage Table (PST) file or an MBOX file to copy an entire mailbox or subset of a mailbox containing sensitive information. |
PR015.003 | Email Forwarding Rule | The subject creates an email forwarding rule to transport any incoming emails from one mailbox to another. |
PR015.001 | Local Email Collection | A subject retrieves email files from the local disk of an endpoint they have access to. When using an email client application (such as Outlook) typically an offline copy of the emails received by the client are stored locally on disk, providing an opportunity for a subject to retrieve them without interacting with an email server. |
PR015.002 | Remote Email Collection | A subject retrieves email files from a remote email server. The subject might use their own or other obtained credentials to access an email mailbox and subsequently copy emails and/or data contained within emails. Remote email collection can be conducted against on-premises email servers, webmail, and cloud-based email services. |
Detection
ID | Name | Description |
---|---|---|
DT140 | Microsoft Defender, Creation of Forwarding/Redirect Rule | The following detection is a default alert policy that should be enabled in all tenants automatically.
To view this alert policy, access the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Policies & rules > Alert policy. Or, to go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.
This rule will generate an alert when a forwarding/redirect rule is created within Exchange or OWA. |
DT141 | Microsoft Defender, Granted Mailbox Permission | This detection monitors the granting of mailbox read permissions, an operation that enables a user account to access another user's or shared mailbox. By alerting on this permission change in Microsoft Defender, investigators gain early visibility into potential misuse of mailbox data and can trace both the granting account and the recipient of the access.
In the Microsoft Defender portal at https://security.microsoft.com, navigate to Email & collaboration > Policies & rules > Alert policy. To go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.
Click |+ New Alert Policy" in the top-left corner. Assign a clear name to the alert policy and select an appropriate Severity and Category. On the next page, under “Activity is”, search for and select
When reviewing an alert generated by this rule, select an activity row in the Activity list table to display related information. A panel will open on the right-hand side of the alert page, under “Activity details”, showing the Item (target mailbox friendly name), User (email address of the account that made the change), IP address, and timestamp. To identify the account that was granted read access to the mailbox, review the Parameters JSON output and retrieve the “Value” (object ID) located next to |