Threat actors may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to Threat actors. Emails may also contain details of ongoing incident response operations, which may allow Threat actors to adjust their techniques in order to maintain persistence or evade defenses. Threat actors can collect or forward email from mail servers or clients.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.