Email gateway solutions offer the ability to trace inbound and outbound emails to an organization. This can be used to retrieve information such as emails sent or received, the subject line, content, attachments, timestamps, and recipients.

Sections

ID	Name	Description
IF010	Exfiltration via Email	A subject uses electronic mail to exfiltrate data.
PR022	Social Engineering (Outbound)	A subject deceptively manipulates and/or persuades others in order to gain access to devices, systems or services that hold sensitive information, or to otherwise cause harm or undermine a target organization.
MT020	Ideology	A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals. Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making. Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves.
IF010.001	Exfiltration via Corporate Email	A subject exfiltrates information using their corporate-issued mailbox, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system.
IF010.002	Exfiltration via Personal Email	A subject exfiltrates information using a mailbox they own or have access to, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system.
PR015.003	Email Forwarding Rule	The subject creates an email forwarding rule to transport any incoming emails from one mailbox to another.
MT012.002	Non-Violent Threats and Intimidation	The subject acts under coercion stemming from threats that target reputation, professional standing, financial stability, or exposure of personal secrets. These threats may be digitally delivered. While these actions stop short of threatening physical harm, they can exert intense psychological pressure, particularly when the subject believes their career, relationships, or public image are at imminent risk. This type of coercion may originate from: Former colleagues, romantic partners, or adversarial insiders with access to sensitive personal or professional material. Political actors, who have a political agenda against the subject's work place. External criminal actors (or hacktivist groups) who have compromised a personal account or acquired compromising data (e.g., via credential leaks or private messages). Unlike ideological motivation or personal gain, this behavior is driven by fear of exposure or ruin, not alignment with the threat actor’s objectives. Subjects may act reluctantly, leave minimal technical traces of coordination, and revert to baseline behavior once the coercive force is removed.
MT012.001	Social Engineering (Inbound)	A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization.
IF011.001	Intentionally Weakening Network Security Controls For a Third Party	The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls.
AF027.001	Email Deletion	The subject deliberately deletes emails - either sent, received, or both - with the intent to obstruct investigative visibility, remove evidence of policy violations, or eliminate traces of communication relevant to an insider event. While routine inbox maintenance is common, patterns of targeted deletion may indicate purposeful concealment.