Detections
- ID: DT041
- Created: 01st June 2024
- Updated: 01st June 2024
- Contributor: The ITM Team
Email Gateway
Email gateway solutions offer the ability to trace inbound and outbound emails to an organization. This can be used to retrieve information such as emails sent or received, the subject line, content, attachments, timestamps, and recipients.
Sections
| ID | Name | Description |
|---|---|---|
| IF010 | Exfiltration via Email | A subject uses electronic mail to exfiltrate data. This can be achieved through including data in the email subject line or body, or utilizing email attachments to send files. |
| PR022 | Social Engineering (Outbound) | A subject deceptively manipulates and/or persuades others in order to gain access to devices, systems or services that hold sensitive information, or to otherwise cause harm or undermine a target organization. |
| MT020 | Ideology | A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.
Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.
Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves. |
| IF010.001 | Exfiltration via Corporate Email | A subject exfiltrates information using their corporate-issued mailbox, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system. |
| IF010.002 | Exfiltration via Personal Email | A subject exfiltrates information using a mailbox they own or have access to, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system. |
| PR015.003 | Email Forwarding Rule | The subject creates an email forwarding rule to transport any incoming emails from one mailbox to another. |
| MT012.002 | Non-Violent Threats and Intimidation | The subject acts under coercion stemming from threats that target reputation, professional standing, financial stability, or exposure of personal secrets. These threats may be digitally delivered. While these actions stop short of threatening physical harm, they can exert intense psychological pressure, particularly when the subject believes their career, relationships, or public image are at imminent risk.
This type of coercion may originate from:
Unlike ideological motivation or personal gain, this behavior is driven by fear of exposure or ruin, not alignment with the threat actor’s objectives. Subjects may act reluctantly, leave minimal technical traces of coordination, and revert to baseline behavior once the coercive force is removed. |
| MT012.001 | Social Engineering (Inbound) | A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization. |
| IF011.001 | Intentionally Weakening Network Security Controls For a Third Party | The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls. |
| AF027.001 | Email Deletion | The subject deliberately deletes emails - either sent, received, or both - with the intent to obstruct investigative visibility, remove evidence of policy violations, or eliminate traces of communication relevant to an insider event. While routine inbox maintenance is common, patterns of targeted deletion may indicate purposeful concealment. |
| PR025.005 | File Download via Email | The subject retrieves files from email systems, typically via attachments or embedded download links within corporate or personal email accounts. This includes access through thick clients (e.g., Outlook) or webmail interfaces.
Email-based file retrieval is a common and low-friction method for introducing external content into the environment. Attachments may originate from external senders, personal accounts, or previously staged communications. |
| PR020.004 | Masquerading Sensitive Data as Personal Files | A subject intentionally alters the filename, file extension, metadata tags, document properties, or visible descriptive attributes of sensitive organizational data to make it appear to be benign personal information. This may include disguising proprietary, regulated, technical, financial, customer, or strategic material as photographs, household records, recipes, receipts, travel documents, music files, temporary files, or other low-risk personal content.
This technique is typically performed before data staging, transfer, or exfiltration. It may reduce scrutiny during manual review, mislead investigators during triage, or weaken controls that rely on filename, extension, path, metadata, or user-applied classification fields. Investigators should assess this behavior in proximity to file access, bulk download, archive creation, removable media use, cloud upload, email transmission, or other indicators of planned data loss.
A common scenario occurs during offboarding, where a subject is permitted to remove or transfer legitimate personal files from a corporate device before returning the asset. The subject may exploit this authorized window by disguising sensitive organizational data as personal material, relying on the expectation that files labeled as photographs, tax records, household documents, or other personal content will receive less scrutiny. This behavior can create ambiguity for investigators because the initial transfer context may appear procedurally authorized, while the concealed content indicates preparation for later exfiltration or unauthorized retention.
Examples of Use
|