Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0130: Analytic 0130

Detection focuses on processes that attempt to locate, access, or exfiltrate local Outlook data files (.pst/.ost) using file system access, native Windows utilities (e.g., PowerShell, WMI), or remote access tools with file browsing capabilities. The behavior chain includes directory enumeration, file access, optional compression or staging, and network transfer.

EnterpriseAN0130AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because local Outlook data files can contain large amounts of business email, attachments, contacts, and potentially sensitive records outside the mail server’s normal audit path. On Windows endpoints, attempts to find, open, stage, compress, or transfer .pst and .ost files can indicate preparation for data theft or unauthorized collection of business communications.

Executive priority

Treat this as a data-loss and incident-readiness coverage question: can the organization prove it can see unusual access to local Outlook archives on Windows systems, especially when native tools such as PowerShell or WMI are involved? Leaders should prioritize coverage where email archives support legal, financial, regulated, or executive communications, and should ask whether endpoint, file, and network telemetry is retained well enough to support investigation and compliance evidence.

Technical view

SOC and IR teams should validate visibility for Windows process activity that enumerates directories, accesses .pst/.ost files, optionally compresses or stages them, and then transfers data over the network. Because the ATT&CK object provides no specific detection logic or tactic mapping, detection engineering should build from the described behavior chain rather than a single indicator: suspicious process lineage, native utility use, remote access tool file browsing behavior, file access to Outlook data stores, archive creation near those files, and outbound transfer activity.

Likely telemetry

  • Windows process creation and command-line telemetry
  • File system telemetry for access to .pst and .ost files
  • Directory enumeration activity in user profile or Outlook data locations
  • PowerShell and WMI activity logs where collected
  • Archive or compression utility execution and file creation telemetry

Detection direction

  • Validate that Windows endpoint telemetry captures both process behavior and file access to Outlook data files; process-only logging may miss the key data access event.
  • Correlate directory enumeration, .pst/.ost file access, staging or compression, and network transfer rather than alerting only on one noisy action.
  • Tune for legitimate administrative, backup, eDiscovery, migration, and user-driven Outlook archive handling to reduce false positives.
  • Pay attention to native Windows utilities such as PowerShell and WMI because their use may blend into normal administration.
  • Confirm whether remote access tools used in the environment provide usable logs for file browsing or transfer activity.

Mitigation priorities

  • Limit unnecessary local Outlook archive use and inventory where .pst/.ost files are commonly stored on Windows endpoints.
  • Apply least-privilege access to user data locations and restrict unnecessary remote file browsing or transfer capabilities.
  • Harden and monitor PowerShell, WMI, and remote access tool usage in line with administrative need.
  • Ensure endpoint logging, file access auditing, and network telemetry retention support investigation of suspected email archive collection.
  • Review data handling, backup, eDiscovery, and migration workflows so legitimate access paths are documented and distinguishable from suspicious behavior.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows focused on local Outlook data files. It describes a behavior chain but does not provide official detection logic, related techniques, tactics, groups, software, mitigations, or data-source relationships. Defensive value comes from validating end-to-end visibility across file access, process execution, staging/compression, and transfer activity.

This take is limited to the official STIX fields and external reference provided. It does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Local environment evidence is required to determine normal Outlook archive use, authorized administrative workflows, telemetry availability, and alert severity.

Official MITRE ATT&CK definition

Analytic 0130

Detection focuses on processes that attempt to locate, access, or exfiltrate local Outlook data files (.pst/.ost) using file system access, native Windows utilities (e.g., PowerShell, WMI), or remote access tools with file browsing capabilities. The behavior chain includes directory enumeration, file access, optional compression or staging, and network transfer.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1ba9cbba11e16189...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1ba9cbba11e1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0130
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use