T1114 — Email Collection

Technique

T1114

Tactics

Collection

MISP citations

0

KEV CVEs mapped

3

Community rules

4

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1114

MITRE description

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-42009
• CVE-2024-27443
• CVE-2020-0688

Detection coverage

SigmaHQ community rules

• PST Export Alert Using New-ComplianceSearchAction (core)
• PST Export Alert Using eDiscovery Alert (core)
• Hacktool Ruler (core)
• Exchange PowerShell Snap-Ins Usage (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.