AN0189: Analytic 0189

Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity.

EnterpriseAN0189AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because phishing on Linux endpoints can become a business-impacting entry point when an email attachment or URL leads to new files being written or unexpected outbound connections. For leaders, the practical question is not whether phishing exists, but whether the organization can correlate email-client activity with endpoint file creation, process execution, and network behavior quickly enough to support containment and incident decisions.

Executive priority

Prioritize this as a resilience and evidence-quality issue for Linux environments that use local email clients such as Thunderbird or mutt. Security leaders should ask whether SOC teams can prove visibility from mail logs through endpoint and network telemetry, and whether incident responders can reconstruct the chain from message interaction to file write, execution, and outbound connection. This supports control prioritization, phishing response readiness, and audit evidence around monitoring coverage.

Technical view

For SOC and detection teams, validate correlation across Linux mail-client logs, file write events, execution activity, and outbound network connections. The supplied ATT&CK object emphasizes unusual file creation or outbound connections after attachment or URL handling in email clients. Because no ATT&CK detection logic is provided, teams should define local baselines for expected email-client behavior and investigate deviations where mail activity is temporally linked to new files, spawned processes, or network destinations inconsistent with normal use.

Likely telemetry

Linux endpoint file creation events, especially files created after email-client interaction
Linux process execution telemetry showing child or related processes from email clients
Mail-client or mail access logs for Thunderbird, mutt, or other Linux email clients in use
Outbound network connection logs from Linux endpoints
DNS or proxy evidence associated with outbound connections following email interaction

Detection direction

Validate that telemetry can connect a specific user, Linux host, email-client event, file write, process execution, and outbound connection within a useful investigation window.
Tune for unusual file creation and outbound network behavior associated with email-client activity rather than alerting on all attachments or all email-driven downloads.
Establish local baselines for expected Thunderbird, mutt, or other mail-client file paths, helper applications, and network behavior to reduce false positives.
Review blind spots where Linux desktops or servers using mail clients lack endpoint logging, DNS/proxy visibility, or centralized mail logs.
Because no relationship context or official detection logic is supplied, treat this as an analytic design pattern requiring local validation rather than a ready-to-deploy rule.

Mitigation priorities

Confirm Linux endpoints running email clients are included in endpoint monitoring and incident response procedures.
Ensure mail, endpoint, and network logs retain enough detail and time coverage to support correlation after a suspected phishing event.
Harden phishing response workflows so analysts can quickly isolate the host, preserve relevant files, and review associated outbound connections.
Use awareness, attachment handling policies, and secure email controls as preventive layers, while recognizing this analytic focuses on detection and correlation evidence.
Periodically test whether SOC teams can trace from a suspicious email interaction to file creation, execution activity, and outbound network connections.

Analyst notes and limits

The object is a detection analytic for Linux and is narrowly focused on phishing-related payload delivery through email clients where attachments or URLs lead to unusual file creation or outbound connections. ATT&CK tactics are not specified, no relationships are supplied, and no official detection rule is provided, so local engineering is required.

This take is limited to the supplied STIX fields and external reference. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Environment-specific email-client usage, logging configuration, and baseline behavior are required before operationalizing the analytic.

Official MITRE ATT&CK definition

Analytic 0189

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 37625d1acad81850...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`37625d1acad8…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0189
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use