ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR015.002
  • Created: 31st May 2024
  • Updated: 19th July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Remote Email Collection

A subject retrieves email files from a remote email server. The subject might use their own or other obtained credentials to access an email mailbox and subsequently copy emails and/or data contained within emails. Remote email collection can be conducted against on-premises email servers, webmail, and cloud-based email services.

Detection

ID Name Description
DT062Microsoft 365 Admin Center Sign-in Activity

From the Microsoft 365 Admin Center homepage (https://admin.microsoft.com/#/homepage), after a specific user account has been selected under ‘Users’ > ‘Active Users’, it is possible to view limited sign-in activity under ‘Last sign-in’ > ‘View last 30 days’.

This displays the Date, Status, and Failure reason (if appropriate).

DT063Microsoft Entra ID Sign-in Logs

From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.

This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.