TH16123
Detected presence of software components that can access email application databases.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Installed software stores sensitive user information in application-specific databases. For email clients, this sensitive information includes the complete email correspondence, list of contacts, saved passwords, email attachments and digital signatures. These databases are typically not protected from unauthorized access for user convenience. Any encryption they might employ is easily bypassed, as the encryption keys are commonly stored alongside the data. For this reason, attackers often aim to gain access to email application databases and exfiltrate collected data to a remote server. While the presence of code that accesses email databases does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can interact with email client data. One example of acceptable use for such functions is extending email client application functionality through natively developed plugins.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1114 - Email Collection.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1114 - Email Collection (External resource - Mitre ATT&CK documentation)
- Data exfiltration (External resource - Wikipedia)