Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0473: Analytic 0473

Adversary installs or modifies email content filters or transport scripts (e.g., Postfix milter, Sendmail milter, Exim filters) using shell access or configuration manipulation.

EnterpriseAN0473AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns unauthorized installation or modification of email filtering and transport logic on Linux mail servers, such as Postfix, Sendmail, or Exim filters. For leaders, the practical issue is not just a configuration change: email infrastructure is often business-critical, and hidden changes to mail-processing logic can undermine trust in communications, disrupt mail flow, or create difficult-to-investigate integrity issues.

Executive priority

Treat this as a control-validation topic for organizations that operate Linux-based mail transfer infrastructure. Leaders should ask whether mail server changes are governed by change control, whether privileged shell access is limited and auditable, and whether SOC and IR teams can reconstruct who changed filter or transport configuration and when. Because the ATT&CK object provides no official detection logic or related techniques, priority should be based on local dependence on Linux mail servers and the business impact of compromised or misconfigured email routing and filtering.

Technical view

The supplied ATT&CK object is a detection analytic for Linux where an adversary installs or modifies email content filters or transport scripts through shell access or configuration manipulation. SOC and detection engineering teams should validate coverage around configuration and script changes for Postfix milter, Sendmail milter, Exim filters, and related mail-processing paths. IR teams should be prepared to compare current mail server configuration against known-good baselines, review privileged shell activity, and correlate configuration changes with mail service reloads or restarts. No ATT&CK tactic, relationship context, or official detection text was supplied, so detections should be locally engineered and tested against the organization’s actual mail stack.

Likely telemetry

  • Linux file integrity or configuration monitoring for mail server filter, milter, transport, and script locations
  • Privileged shell session logs and authentication records for mail servers
  • Process execution telemetry showing editors, shell commands, configuration utilities, or service control activity affecting mail services
  • Mail server logs from Postfix, Sendmail, Exim, or equivalent Linux mail transfer agents
  • Service reload, restart, enablement, and daemon configuration change records

Detection direction

  • Establish known-good baselines for Linux mail server filter and transport configuration before writing high-confidence alerts.
  • Alert or review unexpected changes to Postfix milter, Sendmail milter, Exim filter, transport, and related script files, especially outside approved change windows.
  • Correlate file or configuration changes with privileged logins, shell activity, service reloads, and mail server behavior changes.
  • Tune out expected administrative changes from patching, mail gateway maintenance, and approved filter updates to reduce false positives.
  • Pay attention to blind spots where mail servers lack endpoint telemetry, file integrity monitoring, centralized authentication logs, or configuration versioning.

Mitigation priorities

  • Restrict and audit shell access to Linux mail servers using least privilege and administrative separation.
  • Place mail filter, milter, transport, and script changes under formal change control with reviewable evidence.
  • Use configuration management or version control to preserve known-good mail server configurations and support rapid comparison during investigations.
  • Enable file integrity monitoring or equivalent change detection on mail-processing configuration and script paths.
  • Harden ownership and permissions for mail server configuration files and transport scripts so routine users cannot modify them.
Analyst notes and limits

This object is a detection analytic, not a technique, and the supplied record has no tactic mapping, no official detection text, and no relationship context. The strongest defensive value is therefore in using it as a prompt to verify monitoring and governance around Linux mail server configuration changes. Applicability depends on whether the environment runs Linux-based Postfix, Sendmail, Exim, or similar mail transfer infrastructure.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, adversary attribution, specific impact, or guaranteed detection coverage. Local mail server architecture, logging depth, administrative workflows, and configuration baselines are required to turn this into operational detection or audit evidence.

Official MITRE ATT&CK definition

Analytic 0473

Adversary installs or modifies email content filters or transport scripts (e.g., Postfix milter, Sendmail milter, Exim filters) using shell access or configuration manipulation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bf399a4fe880b3cd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bf399a4fe880…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0473
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use