Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0655: Analytic 0655

Detection of spearphishing attachments by correlating suspicious email delivery with subsequent file creation and abnormal process execution (e.g., Office spawning PowerShell or CMD). Behavior chain includes inbound email metadata → attachment stored on disk → process execution → outbound network activity.

EnterpriseAN0655AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it treats a malicious attachment as a business-risk chain, not a single email event. The supplied ATT&CK description focuses on correlating inbound email metadata, attachment file creation on Windows, abnormal child-process execution such as Office spawning PowerShell or CMD, and outbound network activity. For leaders, the decision value is whether email security, endpoint telemetry, and network monitoring can be joined quickly enough to confirm or rule out a phishing-led intrusion before it becomes a broader incident.

Executive priority

Prioritize this as a coverage-validation item for phishing resilience and incident readiness. Executives should ask whether the organization can prove, with evidence, that suspicious email delivery can be tied to endpoint execution and network behavior on Windows systems. This supports business continuity, audit evidence, and incident decision-making because gaps between mail, endpoint, and network logs often determine whether responders can scope an attachment-driven compromise confidently.

Technical view

For SOC and detection engineering teams, validate correlation across the full behavior chain described by ATT&CK: inbound email metadata, attachment written to disk, suspicious or abnormal process execution from document-handling applications, and related outbound network activity. Because no official detection logic is provided, teams should avoid treating a single signal as sufficient. Tune around parent-child process context, file path and attachment provenance, timing between email delivery and execution, and network activity following execution. The platform explicitly supplied is Windows.

Likely telemetry

  • Email gateway or mail platform metadata for inbound messages and attachments
  • Endpoint file creation telemetry for attachments stored on Windows systems
  • Process creation telemetry with parent-child relationships, especially Office or document applications spawning command interpreters or scripting shells
  • Command-line and process metadata for PowerShell, CMD, and related child processes where collected
  • Outbound network connection telemetry from the affected endpoint

Detection direction

  • Validate that email, endpoint, and network data can be correlated by user, host, message, attachment, and time window.
  • Tune for abnormal parent-child execution patterns rather than only attachment presence, since legitimate attachments are common.
  • Review false positives from business workflows that legitimately launch scripts or command interpreters from Office or document-handling applications.
  • Check blind spots where mail metadata is retained but endpoint file creation or process telemetry is missing.
  • Confirm that outbound network activity after suspicious attachment execution is available for triage and scoping.

Mitigation priorities

  • Strengthen email attachment controls and user-facing protections first, while preserving metadata needed for investigations.
  • Ensure Windows endpoint logging captures file creation and process parent-child relationships needed to validate this analytic.
  • Centralize mail, endpoint, and network telemetry so responders can reconstruct the described behavior chain.
  • Harden execution paths commonly abused after attachment opening, including command interpreter and scripting-shell use from document applications, using organization-approved controls.
  • Test incident response playbooks for phishing attachment cases to confirm containment, scoping, and evidence collection are repeatable.
Analyst notes and limits

This is an ATT&CK detection analytic object, not a technique object. The supplied fields describe a Windows-focused correlation analytic for spearphishing attachment behavior, but no tactics, relationships, labels, aliases, or official detection logic were supplied. Use it as a control and telemetry validation prompt rather than a ready-to-run rule.

Assessment is limited to the official STIX fields, external reference, and absence of supplied relationships. No claim is made about active exploitation, actor attribution, guaranteed detection, or coverage beyond Windows. Local mail architecture, endpoint logging depth, retention, and correlation capability will determine practical effectiveness.

Official MITRE ATT&CK definition

Analytic 0655

Detection of spearphishing attachments by correlating suspicious email delivery with subsequent file creation and abnormal process execution (e.g., Office spawning PowerShell or CMD). Behavior chain includes inbound email metadata → attachment stored on disk → process execution → outbound network activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cfe56846d9b11f59...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cfe56846d9b1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0655
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use