AN0472: Analytic 0472

Adversary registers a malicious Microsoft Exchange transport agent DLL (.NET assembly), configures it via PowerShell or Exchange Management Shell, and persists code execution by manipulating email processing logic based on rules or headers.

EnterpriseAN0472AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because it points to a persistence path inside Microsoft Exchange mail processing: a malicious transport agent DLL can allow code to run as email is handled. For leaders, the practical issue is not just malware on a Windows server; it is unauthorized logic embedded in a business-critical messaging system, where disruption, covert persistence, and weak change control can affect continuity and investigation confidence.

Executive priority

Prioritize validation where Exchange servers support critical communications or regulated workflows. Ask whether transport agent configuration is governed, logged, reviewed, and recoverable; whether incident response teams know how to verify authorized Exchange components; and whether SOC coverage includes administrative changes made through PowerShell or Exchange Management Shell. This is a control-assurance issue as much as a detection issue: unauthorized mail-processing components can undermine resilience, audit evidence, and containment decisions.

Technical view

ATT&CK identifies a Windows-focused detection analytic for adversary registration of a malicious Microsoft Exchange transport agent DLL, configured through PowerShell or Exchange Management Shell, with persistence achieved by manipulating email processing logic based on rules or headers. Because no official detection logic or relationships are supplied, defenders should validate local visibility around Exchange transport agent inventory, DLL/module file locations, configuration changes, administrative shell activity, and service or process behavior associated with Exchange mail transport. Detection engineering should focus on distinguishing expected Exchange administration and approved transport agents from newly registered, modified, or unusual agents.

Likely telemetry

Exchange transport agent inventory and configuration state
PowerShell and Exchange Management Shell command logging
Windows event logs from Exchange servers
File creation or modification telemetry for Exchange-related DLL/.NET assembly locations
Process execution telemetry for administrative shells and Exchange services

Detection direction

Baseline approved Exchange transport agents and alert on new, modified, disabled, or unexpectedly ordered agents.
Correlate transport agent configuration changes with PowerShell or Exchange Management Shell activity and an approved change record.
Review DLL or .NET assembly creation and modification on Exchange servers, especially where tied to Exchange transport processing.
Tune for legitimate administrative work, upgrades, security tooling, and mail gateway integrations to reduce false positives.
Account for blind spots where PowerShell logging, Exchange administrative audit logs, endpoint telemetry, or file integrity monitoring are not enabled on Exchange servers.

Mitigation priorities

Establish and maintain an approved inventory of Exchange transport agents and associated DLLs.
Restrict Exchange administrative privileges and PowerShell/Exchange Management Shell access to authorized administrators.
Require change control and review for transport agent registration, ordering, enablement, and file deployment.
Enable and retain relevant Exchange, PowerShell, Windows, and endpoint telemetry on Exchange servers.
Use file integrity monitoring or equivalent validation for Exchange-related binaries and configuration where operationally feasible.

Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique entry. It specifies Windows and Microsoft Exchange transport agent DLL behavior, but does not provide tactics, detection pseudocode, data components, mitigations, related techniques, or threat actor relationships. The strongest defensive use is as a prompt to validate Exchange-specific administrative visibility and configuration integrity.

Assessment is limited to the official STIX fields, external reference, and absence of relationship context supplied here. No claim is made about active exploitation, attribution, impact, or existing detection coverage. Local Exchange architecture, enabled logging, approved transport agents, and administrative practices are required to determine exposure and detection quality.

Official MITRE ATT&CK definition

Analytic 0472

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: b7eef566c9f4636e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`b7eef566c9f4…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0472
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use