Esc
Email Collection - T1114
(ATT&CK® Technique)
Definition
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1114["Email Collection"] --> |accesses| Resource["Resource"]; class T1114 OffensiveTechniqueNode;
class Resource ArtifactNode; click Resource href "/dao/artifact/d3f:Resource";
click T1114 href "/offensive-technique/attack/T1114/"; click Resource href "/dao/artifact/d3f:Resource"; T1114["Email Collection"] --> |modifies| ApplicationConfiguration["Application Configuration"]; class T1114 OffensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode; click ApplicationConfiguration href "/dao/artifact/d3f:ApplicationConfiguration";
click T1114 href "/offensive-technique/attack/T1114/"; click ApplicationConfiguration href "/dao/artifact/d3f:ApplicationConfiguration"; T1114["Email Collection"] --> |reads| Email["Email"]; class T1114 OffensiveTechniqueNode;
class Email ArtifactNode; click Email href "/dao/artifact/d3f:Email";
click T1114 href "/offensive-technique/attack/T1114/"; click Email href "/dao/artifact/d3f:Email"; T1114["Email Collection"] --> |accesses| MailServer["Mail Server"]; class T1114 OffensiveTechniqueNode;
class MailServer ArtifactNode; click MailServer href "/dao/artifact/d3f:MailServer";
click T1114 href "/offensive-technique/attack/T1114/"; click MailServer href "/dao/artifact/d3f:MailServer"; DecoyFile["Decoy File"] -->
| spoofs | Email["Email"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1114["Email Collection"] ;
class DecoyFile DefensiveTechniqueNode;
class Email ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | Email["Email"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1114["Email Collection"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | Email["Email"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1114["Email Collection"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; SenderReputationAnalysis["Sender Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderReputationAnalysis["Sender Reputation Analysis"] -.->
| may-detect | T1114["Email Collection"] ;
class SenderReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderReputationAnalysis href "/technique/d3f:SenderReputationAnalysis"; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -.->
| may-detect | T1114["Email Collection"] ;
class SenderMTAReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderMTAReputationAnalysis href "/technique/d3f:SenderMTAReputationAnalysis"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | Email["Email"];
HomoglyphDetection["Homoglyph Detection"] -.->
| may-detect | T1114["Email Collection"] ;
class HomoglyphDetection DefensiveTechniqueNode;
class Email ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; FileEviction["File Eviction"] -->
| deletes | Email["Email"];
FileEviction["File Eviction"] -.->
| may-evict | T1114["Email Collection"] ;
class FileEviction DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | Email["Email"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1114["Email Collection"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class Email ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEncryption["File Encryption"] -->
| encrypts | Email["Email"];
FileEncryption["File Encryption"] -.->
| may-harden | T1114["Email Collection"] ;
class FileEncryption DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ApplicationConfigurationHardening["Application Configuration Hardening"] -->
| hardens | ApplicationConfiguration["Application Configuration"];
ApplicationConfigurationHardening["Application Configuration Hardening"] -.->
| may-harden | T1114["Email Collection"] ;
class ApplicationConfigurationHardening DefensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode;
click ApplicationConfigurationHardening href "/technique/d3f:ApplicationConfigurationHardening"; LocalFilePermissions["Local File Permissions"] -->
| restricts | Email["Email"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1114["Email Collection"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class Email ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | Email["Email"];
RestoreFile["Restore File"] -.->
| may-restore | T1114["Email Collection"] ;
class RestoreFile DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | ApplicationConfiguration["Application Configuration"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1114["Email Collection"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreNetworkAccess["Restore Network Access"] -->
| restores | MailServer["Mail Server"];
RestoreNetworkAccess["Restore Network Access"] -.->
| may-restore | T1114["Email Collection"] ;
class RestoreNetworkAccess DefensiveTechniqueNode;
class MailServer ArtifactNode;
click RestoreNetworkAccess href "/technique/d3f:RestoreNetworkAccess"; FileAnalysis["File Analysis"] -->
| analyzes | Email["Email"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1114["Email Collection"] ;
class FileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; EndpointHealthBeacon["Endpoint Health Beacon"] -->
| monitors | MailServer["Mail Server"];
EndpointHealthBeacon["Endpoint Health Beacon"] -.->
| may-detect | T1114["Email Collection"] ;
class EndpointHealthBeacon DefensiveTechniqueNode;
class MailServer ArtifactNode;
click EndpointHealthBeacon href "/technique/d3f:EndpointHealthBeacon"; EmailRemoval["Email Removal"] -->
| may-access | MailServer["Mail Server"];
EmailRemoval["Email Removal"] -.->
| may-evict | T1114["Email Collection"] ;
class EmailRemoval DefensiveTechniqueNode;
class MailServer ArtifactNode;
click EmailRemoval href "/technique/d3f:EmailRemoval"; EmailRemoval["Email Removal"] -->
| deletes | Email["Email"];
class EmailRemoval DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailRemoval href "/technique/d3f:EmailRemoval"; EmailFiltering["Email Filtering"] -->
| filters | Email["Email"];
EmailFiltering["Email Filtering"] -.->
| may-isolate | T1114["Email Collection"] ;
class EmailFiltering DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailFiltering href "/technique/d3f:EmailFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | Email["Email"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1114["Email Collection"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class Email ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RestoreEmail["Restore Email"] -->
| restores | Email["Email"];
RestoreEmail["Restore Email"] -.->
| may-restore | T1114["Email Collection"] ;
class RestoreEmail DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreEmail href "/technique/d3f:RestoreEmail";