AN0147: Analytic 0147

Sequence of internal email sent from a recently compromised user account (preceded by abnormal logon or device activity), with attachments or links leading to execution or credential harvesting. Defender observes: internal mail delivery to peers with high entropy attachments, followed by click events, process initiation, or credential prompts.

EnterpriseAN0147AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because it describes a common business-risk pattern: a trusted internal account appears to be used to send malicious email to peers, with attachments or links that may lead to execution or credential harvesting. For leaders, the key issue is not just email filtering; it is whether identity, endpoint, email, and click/process evidence can be joined quickly enough to contain a compromised user before trust inside the organization amplifies the incident.

Executive priority

Prioritize validation of cross-domain visibility for internal account compromise scenarios. This behavior can affect business continuity and incident decision-making because the sender is an internal user, so controls that only focus on external email may miss the risk. Executives should ask whether SOC and IR teams can prove when an abnormal logon or device event preceded internal mail delivery, which recipients clicked, and whether any Windows execution or credential prompt followed.

Technical view

The supplied ATT&CK object is a Windows-relevant detection analytic with no tactic or formal detection logic provided. SOC teams should validate correlation across abnormal user logon or device activity, internal email sent to peers, high-entropy attachments or links, click events, Windows process initiation, and credential prompt evidence. The practical test is whether analysts can reconstruct the sequence from account compromise indicators through internal delivery and downstream recipient activity.

Likely telemetry

Identity and authentication logs showing abnormal logon activity for the sending user
Device activity for the sending user account or associated endpoint
Internal email delivery metadata, including sender, recipients, timestamps, attachments, and links
Attachment characteristics, including indicators of unusually high entropy where available
URL click or link detonation/click-tracking events

Detection direction

Validate correlation logic for sequence timing: abnormal logon or device activity before internal mail delivery, followed by recipient click, process initiation, or credential prompt activity.
Tune carefully for business workflows that legitimately send attachments or links internally, especially high-volume departments, automated mailboxes, and collaboration tools.
Confirm that internal-to-internal email is inspected and logged; many programs have better visibility for inbound external mail than for trusted internal mail.
Review whether recipient-side Windows execution telemetry is available and linkable back to the email event.
Use the analytic as a coverage test rather than a complete rule, because the official object does not provide detection logic or thresholds.

Mitigation priorities

Strengthen identity controls and monitoring for abnormal logons on user accounts that can send broad internal email.
Ensure email security controls and logging apply to internal mail, attachments, and links, not only external inbound messages.
Maintain endpoint visibility on Windows systems so recipient click-through and process initiation can be investigated quickly.
Prepare IR playbooks for suspected compromised internal sender accounts, including containment of the account, recipient scoping, and follow-up credential reset decisions.
Use awareness and reporting processes to reduce delay when employees receive unexpected internal attachments or credential prompts.

Analyst notes and limits

This is best treated as an analytic pattern for validating SOC and IR readiness across email, identity, and Windows endpoint data. Its value is in sequence reconstruction: compromised-account signal, internal message propagation, recipient interaction, and post-click behavior.

The ATT&CK object provides a description but no official detection logic, tactics, relationships, thresholds, data components, or false-positive guidance. Local telemetry availability, email architecture, identity provider logging, and endpoint coverage will determine whether this can be implemented reliably.

Official MITRE ATT&CK definition

Analytic 0147

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: b655e34aba62ee93...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`b655e34aba62…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0147
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use