T1114: T1114

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:31 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID: T1114
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:31
Modified: 27/03/2026 01:08
Author / Source: The MITRE Corporation

Aliases

Email Collection

Platforms

windows macos linux Office Suite

Description

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

CISA AA20-352A 2021
mitre-attack (T1114)
TrustedSec OOB Communications
Microsoft Tim McMichael Exchange Mail Forwarding 2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Conti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-1747 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6040 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Venture Wolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SilverFox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ykg, Noxty, Outlier, Ness uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MioLab uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OilRig uses COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MRxC0DER uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 59

BCB uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Zagrebator.RAT uses

Family
Cyclops Blink - S0687 uses

Family
Infamouse Chisel uses
CraxsRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rhadamanthys uses

Family
YTStealer uses

Family
AgentTesla uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RagnarLocker uses

Family
RemKos RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ntospy uses
PixyNetLoader uses

Family

← Previous

Page / 6

1–12 of 71

Behind the console: An AiTM phishing kit harvesting … related

AlienVault Confidence 100 12 MITREs 4 IOCs 4 Observables
"Ghost" Code Phishing Analysis related

AlienVault Confidence 100 20 MITREs 1 Malware
Customer CRM Data Accessed in Supply Chain Incident related

AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables
Operation Poisson – Analyzing a Cybercriminal’s Entire Operation related

AlienVault Confidence 100 20 MITREs 2 Malwares 13 IOCs 6 Observables 1 APT
The Devil, Eight Million Emails, and a Whole … related

AlienVault Confidence 100 16 MITREs 14 IOCs 14 Observables
Travel Phishing and Cyber Attacks are Surging in … related

16 MITREs
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
World Cup 2026 Mobile Targeted Phishing: The Global … related

AlienVault Confidence 100 28 MITREs 5 IOCs 5 Observables
Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Threat Actors Target FIFA World Cup 2026 related

20 MITREs 39 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Politicians to Ditch Signal for Homegrown Apps related

10 MITREs 3 Malwares 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (48)

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

CVE-2021-26084 KEV targets

Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2025-27152 targets

5.3 Medium

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative …

Attack vector: NETWORK
Published: 07/03/2025
Modified: 10/04/2026

Awaiting Analysis

CVE-2021-22909

targets

CVE-2021-45046 KEV targets

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern …

Published: 01/05/2023
Modified: 20/12/2025

CVE-2025-53690 KEV targets

9.0 Critical

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …

Attack vector: Network
Published: 04/09/2025
Modified: 21/12/2025

CVE-2024-21111 targets

7.8 High

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily …

Attack vector: LOCAL
Published: 17/04/2024
Modified: 21/12/2025

CVE-2023-5631

targets

CVE-2021-42278 KEV targets

Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

Published: 11/04/2022
Modified: 20/12/2025

CVE-2024-42009 KEV targets

9.3 Critical

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …

Attack vector: Network
Published: 09/06/2025
Modified: 21/12/2025

Received

← Previous

Page / 4

13–24 of 48

Multi-factor Authentication mitigates
Out-of-Band Communications Channel mitigates
Encrypt Sensitive Information mitigates

Contact About Legal notice Privacy policy Terms of use

T1114: T1114

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (59)

Malware (71)

Reports (50)

Vulnerabilities (CVE) (48)

Course Of Action (3)