Adversaries may target user email to collect sensitive information from a target.Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific key words.(Citation: Black Hills MailSniper, 2017)
Adversaries may also abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create inbox rules for various email functions, including forwarding to a different recipient. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: TIMMCMIC, 2014)
Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more.
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file.
Note: Outlook is required, but no email account necessary to produce artifacts.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_path | File path for Get-Inbox.ps1 | String | PathToAtomicsFolder\T1114\src |
| output_file | Output file path | String | $env:TEMP\mail.csv |
powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 -file #{output_file}Remove-Item #{output_file} -Force -ErrorAction Ignoreif (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1"