Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0131: Analytic 0131

Detects adversaries accessing remote mail systems (e.g., Exchange Online, O365) using stolen credentials or OAuth tokens, followed by scripted access to mailbox contents via PowerShell, AADInternals, or unattended API queries. Detection focuses on abnormal logon sessions, user agents, IP locations, and scripted or tool-based email data access.

EnterpriseAN0131AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0131 is a detection analytic for suspicious access to remote mail systems such as Exchange Online or O365 using stolen credentials or OAuth tokens, followed by scripted mailbox access through PowerShell, AADInternals, or unattended API queries. For leaders, the business issue is not just email access: mailbox data often contains sensitive communications, reset links, invoices, legal material, and operational context that can support broader compromise or fraud.

Executive priority

Prioritize this analytic where email is a critical business system and where cloud identity, OAuth access, and mailbox auditability are material to incident response and compliance evidence. Security leaders should ask whether the organization can distinguish normal user email activity from abnormal sessions, unusual user agents, unexpected IP locations, and scripted data access. The decision value is strongest for identity and access management, SOC monitoring, incident response readiness, and audit defensibility around cloud email access.

Technical view

Validate coverage for Windows-based administrative or scripting activity that accesses remote mail systems, and for cloud-mail authentication and mailbox-access telemetry that can show abnormal logon sessions, user agents, IP locations, and scripted or tool-based access. Because the official ATT&CK object provides no separate detection logic and no relationship context, teams should treat AN0131 as a validation target rather than a complete rule: confirm that mailbox audit logs, sign-in/session records, OAuth token/application activity, PowerShell usage, and API access patterns can be correlated to users, source IPs, devices, and time windows.

Likely telemetry

  • Cloud email sign-in and mailbox access logs for Exchange Online or O365 where available
  • User agent strings and client/application identifiers associated with mail access
  • Source IP address, geolocation, and session metadata for email authentication events
  • OAuth token or application-consent related access records where available
  • PowerShell execution and administrative scripting telemetry on Windows systems

Detection direction

  • Baseline expected email access patterns by user, role, geography, device, and client type before treating anomalies as high confidence.
  • Tune for abnormal combinations: unusual IP location, unusual user agent, new or rare client/application, scripted access pattern, and high-volume or unattended mailbox content access.
  • Correlate cloud-mail activity with Windows PowerShell or administrative scripting telemetry where available, especially when remote mailbox access follows suspicious authentication.
  • Account for legitimate automation, eDiscovery, compliance tooling, mail migration, and administrative scripts as likely false-positive sources.
  • Validate whether OAuth-based access is visible; token or application-based access may not look like an interactive user logon.

Mitigation priorities

  • Ensure centralized logging is enabled for remote mail authentication, mailbox access, user agents, IP/session metadata, OAuth/application access, and relevant Windows PowerShell activity.
  • Review identity controls for cloud mail access, including strong authentication, conditional access-style policy enforcement where applicable, and governance of OAuth/application permissions.
  • Maintain inventories and approvals for legitimate scripted mailbox access so the SOC can separate business automation from suspicious unattended queries.
  • Prepare incident response procedures for suspected mailbox compromise, including account containment, token/session revocation where supported, mailbox audit review, and evidence preservation.
  • Use the analytic to support compliance readiness by proving that email access and administrative/scripted activity are observable and reviewable.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. The supplied fields identify Windows as the platform and describe suspicious remote mail access involving stolen credentials or OAuth tokens, PowerShell, AADInternals, and unattended API queries. Tactics are not specified and no relationships were supplied, so context must come from local telemetry and the referenced MITRE detection strategy page.

Official detection logic is not provided, and there are no supplied relationships to techniques, groups, software, mitigations, or data components. This take cannot assert active exploitation, attribution, impact, or existing detection coverage. Local cloud email configuration, audit logging, identity controls, and approved automation patterns are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 0131

Detects adversaries accessing remote mail systems (e.g., Exchange Online, O365) using stolen credentials or OAuth tokens, followed by scripted access to mailbox contents via PowerShell, AADInternals, or unattended API queries. Detection focuses on abnormal logon sessions, user agents, IP locations, and scripted or tool-based email data access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e841ee327388e02a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e841ee327388…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0131
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use