T1114: T1114

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:31 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID: T1114
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:31
Modified: 27/03/2026 01:08
Author / Source: The MITRE Corporation

Aliases

Email Collection

Platforms

windows macos linux Office Suite

Description

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

CISA AA20-352A 2021
mitre-attack (T1114)
TrustedSec OOB Communications
Microsoft Tim McMichael Exchange Mail Forwarding 2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

Lazarus Group, Kimsuky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FakeTicketer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DarkGate uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Suspected China-based threat actor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mealybug uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ShroudedSnooper uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAC-0020 (Vermin) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Runningcrab uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BrazenBamboo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ping3r and Rodrigo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mallox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 59

BCB uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Zagrebator.RAT uses

Family
Cyclops Blink - S0687 uses

Family
Infamouse Chisel uses
CraxsRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rhadamanthys uses

Family
YTStealer uses

Family
AgentTesla uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RagnarLocker uses

Family
RemKos RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ntospy uses
PixyNetLoader uses

Family

← Previous

Page / 6

1–12 of 71

Kazuar: Anatomy of a nation-state botnet related

AlienVault Confidence 100 24 MITREs 2 Malwares 4 IOCs 4 Observables 1 APT
Device Code Phishing is an Evolution in Identity … related

AlienVault Confidence 100 19 MITREs 6 Malwares 35 IOCs 35 Observables 1 APT
Technical Advisory: Breach of Instructure Canvas LMS related

20 MITREs 2 Observables 1 APT
“Say My Name”: How MioLab is building MacOS … related

20 MITREs 2 Malwares 10 Observables 1 APT
Tall Tales: How Chinese Actors Use Impersonation and … related

AlienVault Confidence 100 21 MITREs 2 Malwares 132 IOCs 132 Observables
The AI Frame Campaign Continues related

20 MITREs 1 Observable
March 2026 Phishing Email Trends Report related

19 MITREs 2 Malwares
Abusing OAuth Device Code Flow related

AlienVault Confidence 100 19 MITREs 3 IOCs 3 Observables
Direct-Sys Loader and CGrabber Stealer Five-Stage Malware Chain related

19 MITREs 2 Malwares 91 Observables
59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs … related

20 MITREs 2 Malwares 12 Observables 1 APT
Payroll pirate attacks targeting Canadian employees related

AlienVault Confidence 100 1 CVE 18 MITREs 2 IOCs 2 Observables 1 APT
New widespread EvilTokens kit: device code phishing as-a-service related

10 MITREs

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (48)

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

CVE-2021-26084 KEV targets

Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2025-27152 targets

5.3 Medium

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative …

Attack vector: NETWORK
Published: 07/03/2025
Modified: 10/04/2026

Awaiting Analysis

CVE-2021-22909

targets

CVE-2021-45046 KEV targets

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern …

Published: 01/05/2023
Modified: 20/12/2025

CVE-2025-53690 KEV targets

9.0 Critical

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …

Attack vector: Network
Published: 04/09/2025
Modified: 21/12/2025

CVE-2024-21111 targets

7.8 High

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily …

Attack vector: LOCAL
Published: 17/04/2024
Modified: 21/12/2025

CVE-2023-5631

targets

CVE-2021-42278 KEV targets

Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

Published: 11/04/2022
Modified: 20/12/2025

CVE-2024-42009 KEV targets

9.3 Critical

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …

Attack vector: Network
Published: 09/06/2025
Modified: 21/12/2025

Received

← Previous

Page / 4

13–24 of 48

Multi-factor Authentication mitigates
Out-of-Band Communications Channel mitigates
Encrypt Sensitive Information mitigates

Contact About Legal notice Privacy policy Terms of use

T1114: T1114

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (59)

Malware (71)

Reports (50)

Vulnerabilities (CVE) (48)

Course Of Action (3)