电子邮件收集是指攻击者通过截取、爬取或转发等手段获取目标邮箱中的敏感信息,通常作为情报收集、社会工程攻击的前置环节。传统检测手段主要依赖分析异常登录行为、监控邮件转发规则变更、检测大规模数据导出操作等防御措施,例如通过审计邮箱自动转发日志、分析IMAP协议命令模式、监控PST文件异常访问等行为特征。
为规避传统检测机制,攻击者发展出多层次匿迹技术,通过协议特征伪装、加密通道滥用、分布式架构重构等技术手段,将邮件收集行为融入正常业务流量。这些技术突破单点检测的防御逻辑,在协议合规性、行为分散性、数据隐蔽性等维度实现突破,形成难以溯源的持续性数据渗漏通道。
当前邮件收集匿迹技术的核心在于合法交互模式的深度模拟与数据泄露路径的体系化伪装。加密通道截取技术利用TLS协议的内生安全性作为保护伞,在加密会话中实施隐蔽数据抽取;协议模拟技术通过二进制级别复现邮件客户端行为,使恶意流量获得协议指纹合法性;分布式爬取将集中式数据收集解构为全球节点的碎片化请求,利用时空分散特性绕过阈值检测;自动转发规则滥用则直接寄生在邮件服务平台的基础设施中,使数据外流过程获得平台背书。这些技术的共性在于突破传统攻击面边界,通过协议合规化、行为正常化、操作自动化三大策略,构建出"检测逃逸-数据获取-隐蔽外传"的完整匿迹链条。
匿迹技术的演进使得传统基于规则匹配或单维度异常检测的防御体系面临严峻挑战,防御方需构建邮件流全链路分析能力,结合UEBA识别细粒度行为异常,实施API访问的零信任管控,并引入邮件数据血缘追踪技术,才能有效应对新型隐蔽收集威胁。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过精确模拟合法邮件客户端的协议交互特征(包括TLS握手参数、IMAP命令序列、心跳包间隔等),使恶意收集流量在协议指纹层面与正常业务流量无法区分。同时利用邮件系统原生功能(如自动转发规则)实施数据外传,使操作痕迹符合平台业务流程规范,实现攻击行为的深度伪装。
在加密通道截取技术中,攻击者维持端到端TLS加密的表象,实际通过中间人攻击或内存注入获取明文数据。该过程不破坏加密通道完整性,使得防御方无法通过流量解密发现数据泄露,同时外传数据通过加密信道(如PGP邮件)进行二次封装,实现数据内容的双重遮蔽。
分布式爬取技术将单次大规模数据收集任务分解为长期、低频的全球节点碎片化请求,单个节点的访问频率和数据类型均低于检测阈值。通过动态IP池轮换和跨时区请求调度,使得收集行为特征被稀释在邮件服务器的正常业务流量中,破坏防御系统的时空关联分析能力。
| ID | Name | Description |
|---|---|---|
| G1003 | Ember Bear |
Ember Bear attempts to collect mail from accessed systems and servers.[1][2] |
| S0367 | Emotet |
Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[3][4][5] |
| G0059 | Magic Hound |
Magic Hound has compromised email credentials in order to steal sensitive data.[6] |
| G1015 | Scattered Spider |
Scattered Spider threat actors search the victim’s Microsoft Exchange for emails about the intrusion and incident response.[7] |
| G0122 | Silent Librarian |
Silent Librarian has exfiltrated entire mailboxes from compromised accounts.[8] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis. In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.[9] |
| M1041 | Encrypt Sensitive Information |
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
| M1032 | Multi-factor Authentication |
Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
| M1060 | Out-of-Band Communications Channel |
Use secure out-of-band authentication methods to verify the authenticity of critical actions initiated via email, such as password resets, financial transactions, or access requests. For highly sensitive information, utilize out-of-band communication channels instead of relying solely on email to prevent adversaries from collecting data through compromised email accounts.[10] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include |
| DS0017 | Command | Command Execution |
Monitor executed processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. On Windows systems, monitor for creation of suspicious inbox rules through the use of the |
| DS0022 | File | File Access |
Monitor for unusual processes access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity. |
| DS0028 | Logon Session | Logon Session Creation |
Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account). |
| DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. |