Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0320: Analytic 0320

Inbound spearphishing attempts delivered via third-party services (e.g., Gmail, LinkedIn messages) leading to malicious file downloads or browser-initiated script execution. Defender view includes correlation of external service logins, unexpected file write operations, and suspicious descendant processes spawned from productivity or browser applications.

EnterpriseAN0320AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because phishing may arrive through services outside the organization’s primary email security path, such as webmail or messaging platforms, and then transition quickly into file downloads or browser-launched script activity on Windows endpoints. For leaders, the practical question is whether security monitoring can connect the external-service access, the resulting file write, and the process activity that follows—not just whether email gateways are tuned.

Executive priority

Prioritize this as a resilience and evidence issue for phishing defense, SOC readiness, and incident response triage. If employees can access third-party messaging or webmail, executives should ask whether monitoring covers the handoff from browser/productivity application activity to suspicious local execution. This is also useful for audit and control validation because it tests whether endpoint, identity, and web activity evidence can be correlated during a phishing investigation.

Technical view

For Windows environments, validate whether SOC workflows can correlate external service logins or access events with unexpected file write operations and suspicious descendant processes spawned from browser or productivity applications. Because the supplied ATT&CK object provides no formal detection logic and no related techniques or tactics, teams should treat this as a detection design pattern rather than a complete rule. Focus validation on process lineage, downloaded-file context, and timing relationships between service access and endpoint execution.

Likely telemetry

  • Windows endpoint process creation and parent-child process lineage
  • File creation or file write events, especially in user download and temporary locations
  • Browser and productivity application execution activity
  • External service access or login records where available
  • Endpoint security alerts or script execution telemetry tied to browser-initiated activity

Detection direction

  • Confirm that telemetry can link a third-party service interaction to subsequent file writes and descendant processes on the same Windows host or user session.
  • Tune for suspicious child processes from browsers or productivity applications while accounting for legitimate downloads, collaboration tools, and business automation.
  • Review blind spots where third-party webmail or messaging activity is not logged, where endpoint process lineage is incomplete, or where file writes are not retained long enough for investigation.
  • Use this analytic as a correlation requirement rather than a standalone indicator, since no official detection logic is provided.

Mitigation priorities

  • Ensure endpoint logging and retention are sufficient to reconstruct browser/productivity application process trees and file writes.
  • Review access governance and acceptable-use controls for third-party webmail, messaging, and file-sharing services based on business need.
  • Strengthen user-facing phishing reporting and incident response playbooks for cases originating outside the corporate email gateway.
  • Validate that SOC triage can pivot from a suspicious file or process back to the initiating user activity and external service context.
Analyst notes and limits

The object is a MITRE ATT&CK detection analytic for Windows in the enterprise domain. It describes a defender view for inbound spearphishing delivered through third-party services and emphasizes correlation across service access, file writes, and descendant processes. No tactics, relationships, aliases, labels, or official detection query are supplied.

This take is constrained to the supplied ATT&CK fields. It does not establish active exploitation, attribution, business impact, or guaranteed detection coverage. Local validation is required to determine which third-party services are permitted, which logs are collected, and whether endpoint telemetry is complete enough for correlation.

Official MITRE ATT&CK definition

Analytic 0320

Inbound spearphishing attempts delivered via third-party services (e.g., Gmail, LinkedIn messages) leading to malicious file downloads or browser-initiated script execution. Defender view includes correlation of external service logins, unexpected file write operations, and suspicious descendant processes spawned from productivity or browser applications.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
177639b1bee05f7b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 177639b1bee0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0320
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use