Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0264: Analytic 0264

Adversary adds a new Outlook rule with modified or obfuscated PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER attributes using MFCMapi or Ruler. Rule is triggered when email arrives, executing embedded or external code. Mailbox audit logs or Unified Audit Log shows automated rule-triggered action without user interaction.

EnterpriseAN0264AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because mailbox rules can become an execution path inside the Office suite: a rule is added with modified or obfuscated Outlook rule attributes and then triggers code when email arrives, without the user taking an action. For leaders, the practical issue is whether email security, audit logging, and SOC processes can distinguish legitimate user automation from suspicious rule-triggered behavior in executive, privileged, and high-risk mailboxes.

Executive priority

Prioritize this as an identity and email operations resilience question: can the organization prove who created mailbox rules, when they were created, what they do, and whether actions occurred without user interaction? The business value is strongest for incident response readiness, audit evidence, and protection of sensitive mailboxes where automated rules could bypass normal user-visible activity. Because ATT&CK provides no tactic mapping, mitigation, or detection logic for this analytic, local validation is required before treating it as covered.

Technical view

Validate visibility in Office Suite mailbox auditing and Unified Audit Log data for creation or modification of Outlook rules, especially rules with unusual, modified, or obfuscated PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER attributes. SOC teams should review whether they can correlate rule creation with later automated rule-triggered actions when email arrives and no user interaction is present. Detection engineering should avoid relying only on rule names visible in standard admin views, because the object specifically calls out modified or obfuscated rule attributes.

Likely telemetry

  • Mailbox audit logs showing Outlook rule creation, modification, and triggered actions
  • Unified Audit Log records for automated rule-triggered mailbox activity
  • Mailbox rule metadata, including rule names, providers, and action definitions where available
  • Email arrival events correlated with subsequent rule-driven automated actions
  • User and mailbox context for the account where the rule was created

Detection direction

  • Confirm that mailbox audit logging and Unified Audit Log ingestion are enabled and retained for the mailboxes in scope.
  • Build or validate analytics that look for newly added Outlook rules with unusual, modified, or obfuscated rule name/provider attributes where those fields are available.
  • Correlate rule creation or modification with later automated action on email arrival, especially where activity occurs without a corresponding interactive user action.
  • Tune against legitimate business automation, helpdesk-created rules, mailbox migrations, and user-created inbox management rules to reduce false positives.
  • Pay special attention to high-value mailboxes and accounts with elevated access, because the supplied object does not provide relationship context or prioritization guidance.

Mitigation priorities

  • Ensure mailbox audit and Unified Audit Log collection is enabled, retained, and accessible to SOC and incident response teams.
  • Establish a baseline or review process for mailbox rules on sensitive accounts, focusing on rule actions and unusual metadata rather than display names alone.
  • Limit and monitor administrative or delegated access capable of creating or modifying mailbox rules.
  • Include suspicious mailbox rules and automated rule-triggered actions in incident response playbooks for email and identity investigations.
  • Use periodic compliance or control testing to verify that rule creation, modification, and execution evidence can be produced when needed.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Office Suite behavior involving Outlook rules with modified or obfuscated PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER attributes, potentially created with tools such as MFCMapi or Ruler. The strongest defensive value is in validating audit visibility and investigation workflow around automated rule-triggered actions, not in assuming a complete detection exists.

Official detection text, tactics, mitigations, and relationship context were not supplied. This take therefore does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Teams must confirm which Outlook rule attributes are actually available in their logging pipeline and how long relevant audit data is retained.

Official MITRE ATT&CK definition

Analytic 0264

Adversary adds a new Outlook rule with modified or obfuscated PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER attributes using MFCMapi or Ruler. Rule is triggered when email arrives, executing embedded or external code. Mailbox audit logs or Unified Audit Log shows automated rule-triggered action without user interaction.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9d2f40e8a3a804dc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9d2f40e8a3a8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0264
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use