AN0148: Analytic 0148
Delivery of suspicious internal communication (e.g., Thunderbird, Evolution) using compromised internal accounts. Sequence of: unexpected user activity + mail transfer logs + download or execution of attachments.
Analyst context for executives and security teams
This analytic matters because internal email sent from compromised accounts can look trusted to employees and security tools. For Linux environments using desktop mail clients such as Thunderbird or Evolution, the decision point is whether the organization can connect three evidence streams: unusual user activity, mail transfer records, and attachment download or execution activity.
Executive priority
Treat this as a validation item for business email compromise and malware-delivery readiness in Linux user environments. Leaders should ask whether SOC and incident response teams can prove internal-account abuse from logs, not just detect external phishing. This supports prioritization of identity monitoring, endpoint logging, mail infrastructure visibility, and incident response evidence needed for audit or post-incident review.
Technical view
ATT&CK provides this as a Linux detection analytic for suspicious internal communication using compromised internal accounts. The supplied behavior is a sequence: unexpected user activity, mail transfer logs, and download or execution of attachments. SOC teams should validate whether those events can be correlated by user, host, time, message, and attachment context. Because no official detection logic is provided, teams should build environment-specific criteria for what counts as unexpected user activity and tune around legitimate internal mail workflows.
Likely telemetry
- Linux endpoint activity showing user sessions and process execution
- Desktop mail client activity where available, especially Thunderbird or Evolution usage
- Mail transfer logs showing internal account sender, recipient, timestamps, and message flow
- Attachment download evidence from endpoint, mail client, or filesystem telemetry
- Attachment execution evidence from Linux process, shell, or application logs
Detection direction
- Validate correlation across account activity, mail transfer logs, and endpoint attachment activity rather than relying on a single alert source.
- Define local baselines for expected user mail behavior, login patterns, and attachment handling to reduce false positives.
- Pay attention to internal sender reputation blind spots; internally sourced messages may be trusted more than external mail.
- Confirm Linux endpoint visibility covers attachment execution paths and mail client child processes where relevant.
- Document gaps where mail transfer logs, endpoint telemetry, or user activity records cannot be joined reliably.
Mitigation priorities
- Prioritize logging and retention for mail transfer, identity activity, and Linux endpoint execution evidence.
- Strengthen internal account monitoring so compromised-account behavior can be distinguished from normal user activity.
- Review attachment handling controls and user workflow controls for Linux desktop mail clients where they are in use.
- Ensure incident response playbooks include internal-account mail abuse, attachment triage, and account containment steps.
- Use this analytic as a coverage test for managed detection, SOC tuning, and compliance evidence around suspicious internal communications.
Analyst notes and limits
The object is a detection analytic, not a technique or procedure. ATT&CK supplies a concise behavioral sequence but no detection query, no tactic mapping, and no relationship context. The strongest use is as a coverage-validation prompt: can defenders join user, mail, and Linux endpoint evidence quickly enough to support investigation?
No official detection text, relationships, actor context, active exploitation claim, or impact detail was supplied. Applicability is limited to the stated Linux platform and the described internal communication scenario. Local mail architecture, logging configuration, and endpoint visibility will determine whether this analytic is actionable.
Analytic 0148
Delivery of suspicious internal communication (e.g., Thunderbird, Evolution) using compromised internal accounts. Sequence of: unexpected user activity + mail transfer logs + download or execution of attachments.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c6b99bc7a1a4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0148Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.