AN0188: Analytic 0188
Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received.
Analyst context for executives and security teams
This analytic matters because it connects a common business entry point—email—to what happens next on Windows endpoints. For leaders, the value is not simply identifying a suspicious message; it is proving whether a delivered attachment or URL led to new process execution, document behavior, file creation, or outbound network activity that may require containment or user-impacting response decisions.
Executive priority
Prioritize this as a readiness check for phishing-driven incident response and SOC correlation. Executives should ask whether email security, endpoint telemetry, and network evidence can be joined quickly enough to support containment, audit evidence, and business-continuity decisions after a suspicious message reaches a user. Gaps in this correlation can delay determining whether an email was only delivered or actually executed.
Technical view
For Windows environments, validate the ability to correlate inbound email metadata with subsequent endpoint and network activity. SOC teams should confirm they can trace from message delivery, attachment or embedded URL, and recipient identity to file creation, new process execution, suspicious document behavior, and related network connections. No ATT&CK tactic or relationship context is supplied, and no official detection logic is provided, so local rule design and tuning are required.
Likely telemetry
- Inbound email metadata, including sender, recipient, subject, attachment indicators, and embedded URLs
- Email gateway or mail security logs showing message delivery to users
- Windows endpoint process creation telemetry
- File creation telemetry for downloaded or opened attachments
- Document application behavior telemetry where available
Detection direction
- Validate correlation across email, endpoint, and network data rather than relying on email alerts alone.
- Tune for timing relationships between message receipt and subsequent process creation, file creation, document behavior, or network activity on the recipient’s Windows host.
- Review false positives from normal business workflows involving attachments, document editing, browser launches, and collaboration links.
- Confirm whether telemetry preserves enough identifiers to connect a specific email, user, host, file, URL, and process chain.
- Because the official detection field is not provided, treat this as a detection-engineering objective rather than a ready-to-deploy analytic.
Mitigation priorities
- Ensure email security controls and logging capture attachment and URL metadata needed for investigation.
- Prioritize endpoint visibility for Windows process creation, file creation, and document-related activity.
- Maintain network logging that can be correlated to user and host activity after email delivery.
- Define incident response playbooks that distinguish message delivery from user execution and suspicious post-delivery behavior.
- Use the analytic as evidence for phishing response readiness and compliance reporting where correlation and investigation timelines are required.
Analyst notes and limits
This object is a MITRE detection analytic, AN0188, for Windows. Its decision value is in validating cross-domain correlation after suspicious inbound email activity. The supplied object has no relationships, no tactic assignment, and no official detection logic, so defenders should avoid treating it as complete coverage without local telemetry validation.
Assessment is limited to the supplied STIX fields, external reference, and description. No active exploitation, attribution, specific malware behavior, exact query logic, or guaranteed detection outcome is supported by the provided data.
Analytic 0188
Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 44272f53362d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0188Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.