AN0525: Analytic 0525
Detects deletion or hiding of security-related mail rules, audit mailboxes, or calendar/log sync artifacts indicative of tampering post-intrusion.
Analyst context for executives and security teams
AN0525 matters because it focuses on evidence tampering in office-suite mail and calendar environments after an intrusion. For leaders, the issue is not just mailbox misuse; it is whether attackers can hide forwarding rules, audit-related mailboxes, or synchronization artifacts that responders rely on to reconstruct what happened. If these records are deleted or hidden, incident scope, legal/audit evidence, and business recovery decisions become less reliable.
Executive priority
Prioritize this analytic where office-suite messaging and calendaring are business-critical or used for sensitive communications. Executives should ask whether mail rule changes, audit mailbox changes, and calendar/log synchronization artifacts are retained, monitored, and reviewable during incidents. This supports incident response readiness, compliance evidence preservation, and confidence in post-intrusion investigation timelines.
Technical view
For SOC and IR teams, AN0525 should be treated as a validation point for office-suite telemetry around deletion or concealment of security-relevant mail artifacts. Because ATT&CK provides no detailed detection logic and no tactic mapping for this analytic, teams should map it to local office-suite audit sources and confirm they can observe changes involving mail rules, audit mailboxes, and calendar or log synchronization artifacts. Investigation should focus on whether these actions occur after suspicious account activity or other intrusion indicators, while accounting for legitimate administrative cleanup or migration activity.
Likely telemetry
- Office-suite audit logs for mailbox and mail rule changes
- Administrative activity logs related to audit mailboxes or logging configuration
- Calendar and synchronization logs or artifacts
- Mailbox configuration change history
- Identity/session context for the account performing deletion or hiding actions
Detection direction
- Validate that office-suite logging captures deletion, hiding, or modification of security-related mail rules and audit-related mailboxes.
- Correlate artifact tampering with account sign-in context, administrative actions, and other post-intrusion indicators where available.
- Tune for known administrative maintenance, migrations, retention changes, and help desk workflows to reduce false positives.
- Check blind spots where audit logging, mailbox configuration history, or sync artifact retention is disabled, short-lived, or inaccessible to the SOC.
- Because no official detection logic is provided, require local testing against approved administrative actions and simulated benign changes before operationalizing alerts.
Mitigation priorities
- Ensure office-suite audit and mailbox configuration logging is enabled and retained long enough to support investigations.
- Restrict and review privileges that can delete or hide mail rules, audit mailboxes, or relevant synchronization artifacts.
- Establish change-control expectations for administrative mailbox and logging changes so suspicious tampering stands out.
- Include preservation of mail rules, audit mailbox state, and calendar/log sync artifacts in incident response collection procedures.
- Periodically validate that responders can retrieve these artifacts during tabletop or technical readiness exercises.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Office Suite environments and specifically describes tampering with security-related mail rules, audit mailboxes, or calendar/log sync artifacts. No relationships, tactics, or official detection implementation details were supplied, so this take emphasizes defensive validation and evidence preservation rather than a specific rule.
This assessment is limited to the supplied STIX fields, external reference, and description. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local office-suite products, logging configuration, retention, administrative workflows, and identity context are required to determine practical coverage.
Analytic 0525
Detects deletion or hiding of security-related mail rules, audit mailboxes, or calendar/log sync artifacts indicative of tampering post-intrusion.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dac1d8e61e33… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0525Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.