AN0641: Analytic 0641
Enumeration of global address lists or email account metadata via PowerShell cmdlets (e.g., Get-GlobalAddressList) or MAPI/RPC from non-admin, non-mailserver systems.
Analyst context for executives and security teams
AN0641 is a detection analytic for suspicious enumeration of email directory data, such as global address lists or email account metadata, from Windows systems that are not expected to perform mail-server or administrative functions. For leaders, the practical issue is that address book and mailbox metadata can support follow-on targeting, social engineering, or discovery of key personnel, even when no message content is accessed.
Executive priority
Prioritize this as an identity, email security, and SOC visibility validation item. The key business question is whether the organization can distinguish legitimate email administration from unusual directory enumeration by ordinary users or non-mailserver endpoints. This supports incident triage, audit evidence around privileged administration, and readiness to investigate suspicious reconnaissance against enterprise email environments.
Technical view
Validate whether Windows endpoint, PowerShell, and email infrastructure telemetry can identify PowerShell cmdlet use such as Get-GlobalAddressList, as well as MAPI/RPC-based access patterns, when initiated from non-admin and non-mailserver systems. Because ATT&CK does not provide a detection implementation for this analytic, SOC teams should define local baselines for approved mail administration hosts, administrative users, and expected directory-query behavior before alerting on deviations.
Likely telemetry
- Windows endpoint process execution telemetry
- PowerShell command and script logging where available
- Authentication and account context for the initiating user
- Email infrastructure or directory service logs showing address list or mailbox metadata queries
- Network telemetry for MAPI/RPC connections from Windows endpoints to mail-related services
Detection direction
- Alert on address list or email account metadata enumeration from Windows systems that are not classified as mailservers or approved administrative systems.
- Correlate PowerShell execution with user role, host role, and command context to reduce false positives from legitimate email administration.
- Review MAPI/RPC activity from ordinary endpoints for unusual volume, timing, or source systems, using local baselines rather than assuming all such activity is malicious.
- Maintain allowlists or reference sets for authorized email administrators and management hosts; gaps in this inventory will create both false positives and blind spots.
- Because no official detection text or relationship context is supplied, validate the analytic against local logging coverage before using it as a control-evidence claim.
Mitigation priorities
- Define and maintain an authoritative inventory of mailservers, approved administrative workstations, and users authorized to perform email directory administration.
- Restrict email administration capabilities to appropriate administrative roles and managed systems where feasible.
- Ensure PowerShell and relevant email/directory service logging are enabled and retained long enough to support investigation.
- Include this behavior in incident response playbooks for suspicious account or email-environment reconnaissance.
- Periodically test whether SOC workflows can separate expected administrative enumeration from unusual activity by non-admin users or non-mailserver Windows endpoints.
Analyst notes and limits
This object is a MITRE ATT&CK detection analytic, not a technique. It is scoped to Windows and describes enumeration of global address lists or email account metadata using PowerShell cmdlets or MAPI/RPC from systems where that activity is not expected. No tactics, relationships, aliases, or official detection logic were supplied, so the strongest use is as a validation prompt for telemetry, baselining, and role-based alerting.
The supplied ATT&CK fields do not identify associated tactics, techniques, threat actors, campaigns, mitigations, or a concrete detection query. Any assessment of severity, prevalence, exploit activity, or detection effectiveness requires local environment data and cannot be concluded from this object alone.
Analytic 0641
Enumeration of global address lists or email account metadata via PowerShell cmdlets (e.g., Get-GlobalAddressList) or MAPI/RPC from non-admin, non-mailserver systems.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b3b313394101… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0641Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.