Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0551: Analytic 0551

Suspicious creation or modification of inbox rules through PowerShell (New-InboxRule, Set-InboxRule) to automatically delete, move, or hide emails. Defender perspective: unusual rule activity correlated with mailbox access and filtering patterns.

EnterpriseAN0551AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting suspicious mailbox rule changes made through PowerShell on Windows, specifically rules that delete, move, or hide email. For leaders, the significance is that mailbox rules can quietly affect visibility into business communications, security alerts, approvals, and incident evidence. Even without a supplied ATT&CK tactic or relationship context, this behavior is important because it tests whether the organization can see and explain automated email filtering changes tied to mailbox access.

Executive priority

Prioritize this as an email and identity monitoring validation item: can the team identify who created or changed inbox rules, from where, and whether the rule suppresses or redirects important messages? This supports incident response readiness, audit evidence for mailbox administration, and continuity of communications where hidden or deleted messages could delay decisions or investigations.

Technical view

SOC and detection teams should validate monitoring for PowerShell use of New-InboxRule and Set-InboxRule on Windows, especially when rule actions automatically delete, move, or hide messages. Because the official detection field is not provided, coverage should be tested against local telemetry: command execution, mailbox audit events, authentication or mailbox access context, and resulting filtering behavior. Tuning should distinguish normal administrative or user-created rules from unusual rule activity correlated with mailbox access patterns.

Likely telemetry

  • Windows PowerShell command execution logs showing New-InboxRule or Set-InboxRule
  • Mailbox audit or administrative logs for inbox rule creation and modification
  • Rule properties showing delete, move, or hide-like filtering behavior
  • Mailbox access and authentication context associated with the rule change
  • Email filtering or message disposition evidence showing messages being automatically moved, deleted, or hidden

Detection direction

  • Confirm whether PowerShell command visibility is enabled and retained for Windows systems where mailbox administration occurs.
  • Correlate inbox rule changes with mailbox access context rather than alerting only on the existence of a rule change.
  • Review rule actions and conditions for automatic deletion, movement, or hiding of messages, with special attention to rules affecting security, approval, financial, or executive communications.
  • Account for false positives from legitimate user productivity rules and authorized administration; require context such as unusual access, uncommon rule behavior, or sensitive mailbox scope.
  • Document blind spots where mailbox audit logs, PowerShell logging, or message disposition data are unavailable or retained too briefly.

Mitigation priorities

  • Ensure mailbox rule creation and modification are auditable and retained long enough for investigations.
  • Restrict and review administrative pathways that allow PowerShell-based mailbox rule management where appropriate.
  • Establish review processes for high-risk inbox rules, especially those that delete, move, or hide messages automatically.
  • Include suspicious inbox rule review in incident response playbooks for mailbox or identity-related investigations.
  • Use the analytic as a control-validation scenario rather than assuming detection exists, since no official detection logic was supplied.
Analyst notes and limits

The supplied object is a detection analytic, AN0551, for Windows-focused PowerShell activity involving New-InboxRule and Set-InboxRule. No ATT&CK tactics, relationships, aliases, labels, or official detection logic were supplied, so this take emphasizes defensive validation and evidence requirements rather than asserting a specific adversary behavior chain.

This assessment is limited to the official STIX fields, the MITRE external reference, and the supplied description. It does not establish active exploitation, attribution, business impact, or guaranteed detection coverage. Local mailbox platform configuration, logging policy, retention, and administrative practices are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Analytic 0551

Suspicious creation or modification of inbox rules through PowerShell (New-InboxRule, Set-InboxRule) to automatically delete, move, or hide emails. Defender perspective: unusual rule activity correlated with mailbox access and filtering patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b20e0d33cd2cb101...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b20e0d33cd2c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0551
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use