T1114W - Email Collection

[daniel-infosec]

Description

Adversaries may target user email to collect sensitive information from a target.

Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.

Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.

Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.

References

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/Get-Inbox.ps1

https://www.rapid7.com/db/modules/post/windows/gather/enum_files

https://support.office.com/en-ie/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790

Plan

Also need a way to interact via EWS via passing credentials or current token from session?