216.73.216.233

T1114.001: T1114.001

View on MITRE ATT&CK The MITRE Corporation · Published 19/02/2020 19:46 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID
T1114.001
Confidence
100/100
Revoked
No
Published
19/02/2020 19:46
Modified
27/03/2026 01:08
Author / Source
The MITRE Corporation

Aliases

Local Email Collection

Platforms

windows

Description

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\<username>\Documents\Outlook Files` or `C:\Users\<username>\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files)

Kill chain phases

Kill chainPhase
mitre-attack collection

Marking (TLP)

TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.