Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0553: Analytic 0553

Rule manipulation through local email clients (e.g., Evolution, Thunderbird) or server-side filtering scripts (e.g., sieve) creating conditions to move or discard emails with security-related keywords.

EnterpriseAN0553AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about watching for email rule manipulation on Linux systems where local mail clients or server-side filtering scripts are configured to move or discard messages containing security-related keywords. For leaders, the business issue is not the email rule itself; it is the possibility that important security, compliance, or incident communications could be hidden from users or responders if mail filtering is abused.

Executive priority

Prioritize this where Linux users or servers rely on local email clients such as Evolution or Thunderbird, or filtering mechanisms such as sieve, for business or security communications. Ask whether security-relevant email routing and deletion rules are visible to administrators, logged, reviewed, and recoverable. This is especially relevant to incident response readiness and audit evidence because hidden or discarded security notifications can delay investigation and decision-making.

Technical view

SOC and IR teams should validate whether Linux email rule changes are observable for local clients and server-side filtering scripts. Because the ATT&CK object provides no official detection logic and no relationship context, detection engineering should focus on local environment baselining: identify where mail rules are stored, how sieve scripts are managed, who can modify them, and whether changes involving security-related keywords, move actions, or discard/delete actions can be reviewed. Treat findings as context-dependent and investigate alongside account activity, file modification evidence, and mail server/client logs where available.

Likely telemetry

  • Linux file modification events for email client rule or configuration files
  • Mail client configuration artifacts for Evolution or Thunderbird where deployed
  • Server-side filtering script artifacts such as sieve rules where used
  • Mail server or filtering service logs showing rule updates, message moves, discards, or deletions
  • Account or session activity associated with users or processes modifying mail filtering configuration

Detection direction

  • Inventory Linux mail clients and server-side filtering mechanisms before writing detections; this analytic only names Linux, Evolution, Thunderbird, and sieve as relevant examples.
  • Baseline legitimate mail rule changes and tune for suspicious conditions involving security-related terms combined with move, discard, delete, or redirect-like outcomes.
  • Correlate rule changes with the modifying user, host, timestamp, and subsequent disappearance or rerouting of security-related messages.
  • Expect false positives from user-created mailbox organization rules, helpdesk workflows, or administrator-managed filtering; prioritize rules that suppress security communications or are newly created during an investigation window.
  • Address blind spots where local email client configuration files are not monitored, sieve script changes are not logged, or mail filtering changes are only visible on endpoints rather than centralized mail infrastructure.

Mitigation priorities

  • Establish administrative visibility and change review for email filtering rules on Linux endpoints and mail servers where sieve or local clients are used.
  • Restrict who can modify server-side filtering scripts and require accountable authentication for those changes.
  • Ensure security, compliance, and incident-response notifications are recoverable through retention, quarantine, or mailbox audit processes where applicable.
  • Document expected mail filtering behavior for high-risk users and security teams so unusual suppression of security-related messages can be investigated quickly.
  • Use incident response procedures to check mail rules when security communications appear missing, delayed, moved, or unexpectedly deleted.
Analyst notes and limits

The supplied object is a detection analytic, AN0553, for ATT&CK enterprise release 19.1. It is limited to Linux and describes manipulation of local email client rules or server-side filtering scripts to move or discard emails with security-related keywords. No ATT&CK tactics, relationships, aliases, labels, or official detection text were supplied, so this take focuses on defensive validation rather than a specific detection rule.

This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Local mail architecture, logging configuration, endpoint visibility, and retention practices determine whether this behavior can be detected or investigated in a specific environment.

Official MITRE ATT&CK definition

Analytic 0553

Rule manipulation through local email clients (e.g., Evolution, Thunderbird) or server-side filtering scripts (e.g., sieve) creating conditions to move or discard emails with security-related keywords.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c3fbba736309cc42...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c3fbba736309…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0553
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use