Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0151: Analytic 0151

Outlook or Word used to forward suspicious internal attachments with macro content. Defender observes attachment forwarding, auto-opening behaviors, or macro prompt interactions.

EnterpriseAN0151AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a common business workflow risk: internal forwarding of Office attachments that contain macro content. Even without ATT&CK tactic context, the behavior is operationally important because suspicious macro-bearing documents moving through Outlook or being opened in Word can create incident-response ambiguity: is this normal collaboration, user-driven propagation of a malicious document, or an internal investigation artifact? Leaders should treat this as a validation point for email, endpoint, and Office telemetry rather than as proof of compromise by itself.

Executive priority

Prioritize this as a control-evidence and readiness question: can the organization show when macro-enabled attachments are forwarded internally, opened automatically or by a user, and whether users interact with macro prompts? This supports business continuity by reducing dwell time around suspicious Office documents, helps SOC and IR teams triage internal spread, and provides audit-friendly evidence that Office macro risk is being monitored. Because the supplied object provides no tactic, relationship, or exploitation context, it should inform defensive coverage validation rather than drive assumptions about active threat activity.

Technical view

For SOC, detection engineering, and IR teams, validate coverage across the Office Suite, specifically Outlook and Word. The analytic describes observation of attachment forwarding, auto-opening behaviors, and macro prompt interactions involving suspicious internal attachments with macro content. Teams should confirm whether email telemetry can identify internal forwarding of attachments, whether endpoint or Office telemetry records Word opening those attachments, and whether macro prompt interaction events are available for correlation. The absence of official detection logic means local baselining and tuning are required to separate normal document collaboration from suspicious forwarding chains.

Likely telemetry

  • Outlook message and attachment forwarding metadata for internal email
  • Attachment metadata indicating Office documents with macro content
  • Word document open events tied to attachments
  • Office macro prompt or macro interaction events where available
  • Endpoint process or application activity showing Outlook-to-Word document handling

Detection direction

  • Validate that internal email forwarding telemetry includes sender, recipient, attachment identity, timestamp, and whether the attachment is macro-enabled.
  • Correlate Outlook forwarding with subsequent Word open events and macro prompt interactions rather than alerting on forwarding alone.
  • Baseline legitimate internal workflows that frequently forward macro-enabled documents to reduce false positives.
  • Look for unusual forwarding chains, unexpected recipients, repeated internal redistribution, or prompt interactions following receipt of a suspicious attachment, while avoiding claims of compromise without corroboration.
  • Identify blind spots where internal mail is less inspected than inbound mail, or where Office macro prompt telemetry is not collected.

Mitigation priorities

  • Confirm Office macro policy and attachment-handling controls are documented and enforced for the Office Suite.
  • Strengthen internal email monitoring for macro-enabled attachments, not only internet-sourced attachments.
  • Ensure SOC and IR playbooks include triage steps for internally forwarded suspicious Office attachments, including attachment identity, forwarding path, and user interaction history.
  • Use user awareness and reporting workflows to reduce ad hoc forwarding of suspicious documents and encourage safe escalation paths.
  • Retain sufficient email and endpoint telemetry to support incident reconstruction and compliance evidence.
Analyst notes and limits

The object is a detection analytic, AN0151, for Office Suite behavior involving Outlook or Word and suspicious internal attachments with macro content. No ATT&CK tactics, technique relationships, aliases, labels, or official detection logic were supplied, so this take emphasizes defensive validation and evidence collection rather than threat attribution or a specific kill-chain stage.

This assessment is constrained to the supplied ATT&CK fields and the single MITRE external reference. There is no relationship context, no official detection query, and no stated tactic. Local environment data is required to determine whether this behavior is anomalous, benign collaboration, security-team handling, or part of an incident.

Official MITRE ATT&CK definition

Analytic 0151

Outlook or Word used to forward suspicious internal attachments with macro content. Defender observes attachment forwarding, auto-opening behaviors, or macro prompt interactions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8f0caa61e5ed72a7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8f0caa61e5ed…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0151
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use