If the attacker wishes to observe the victim’s email traffic (most likely because they failed to capture an unencrypted password, which would have allowed them to log in as the victim and read their email directly), they may need to carry out a second, slightly more complex attack, which will also likely provide access to the victims password as well as the content of their email.
To capture outgoing (SMTP) messages, the process is nearly identical to the traffic monitoring exercise.
Mandatory (SSL, TLS or HTTPS) encryption on all authenticated services (especially email). This should apply to both direct connections to the email server (e.g. via IMAP, MAPI, SMTP) as well as webmail services.
Those who use Outlook, or some other email client, should only be allowed to connect to the organization’s mail server using SSL or TLS encryption. Attempts to connected without encryption should fail. All staff mail clients should be reconfigured accordingly.