We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Email Manipulation

Modify the flow of email in the environment.

Email Manipulation covers the various ways email flows in the environment can be affected. Email Manipulation can affect which mail appliances process mail flows, where mail is forwarded, or what mail is present in an inbox. A common use case for email manipulation is as a vector to introduce malware into the engagement environment.

Suspicious emails may be removed from production mailbox and placed into an inbox in an engagement environment. Then, any suspicious attachments or links could be detonated from within the environment. As another example, emails collected over a long period of time from a legitimate inbox outside the environment may be moved into the environment to reassure the adversary of the environment’s legitimacy by creating a mailbox that more closely resembles a real, lived-in inbox.

Details
ID: EAC0009
Type:  Engagement 
Goals:  Affect Elicit
Approaches:  Direction Reassurance
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Email Manipulation.

ATT&CK® Tactics Adversary Vulnerability Presented
Collection When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.
Collection Initial Access When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Collection Initial Access When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence
Initial Access When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked.