Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0737: Analytic 0737

Detects mailbox manipulation or deletion via PowerShell (e.g., Remove-MailboxExportRequest), file deletion from Outlook data stores (Unistore.db), or tampering with quarantined mail logs.

EnterpriseAN0737AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because mailbox deletion, export-request manipulation, Outlook data store file deletion, and quarantine-log tampering can remove evidence, disrupt email operations, and weaken investigations. For leaders, the decision point is whether email, endpoint, and PowerShell telemetry are sufficient to prove what happened when a mailbox or related evidence disappears.

Executive priority

Prioritize this as an evidence-preservation and operational resilience concern for Windows environments using Outlook/PowerShell-managed mail operations. Security leaders should ask whether SOC and incident response teams can reconstruct mailbox administrative actions, local Outlook data-store changes, and quarantine-log integrity during an incident. The main business value is reducing investigation gaps, supporting compliance evidence, and limiting the operational impact of unauthorized or erroneous mailbox manipulation.

Technical view

The supplied ATT&CK object is a detection analytic for Windows focused on mailbox manipulation or deletion via PowerShell, examples such as Remove-MailboxExportRequest, deletion of Outlook data-store files such as Unistore.db, and tampering with quarantined mail logs. Because no official detection logic or ATT&CK relationships are supplied, teams should validate coverage by mapping where mailbox administration events, PowerShell activity, endpoint file events, and mail security quarantine logs are collected and correlated. Treat this as a behavioral validation area rather than a ready-to-run detection.

Likely telemetry

  • PowerShell execution logs and script/module logging where enabled
  • Windows process creation telemetry for PowerShell and related administrative tools
  • Mailbox administration or email platform audit logs showing export, delete, or request-management actions
  • Endpoint file creation, modification, and deletion telemetry for Outlook data-store paths, including Unistore.db where applicable
  • Mail security gateway or email security quarantine logs and audit records

Detection direction

  • Validate that PowerShell activity tied to mailbox administration is logged with enough command-line and user context to distinguish authorized administration from suspicious manipulation.
  • Monitor deletion or modification of Outlook data-store files in expected user profile locations, while tuning for legitimate Outlook maintenance, profile rebuilds, and support activity.
  • Check whether quarantined mail logs are append-only, centrally forwarded, or otherwise protected from local tampering before relying on them as incident evidence.
  • Correlate mailbox administrative actions with identity context, host context, change tickets, and privileged role assignment where available.
  • Account for the limitation that ATT&CK provides no official detection query, thresholds, or relationship context for this analytic.

Mitigation priorities

  • Ensure mailbox administration is limited to authorized roles and reviewed through standard change or access-control processes.
  • Enable and retain PowerShell, endpoint file, mailbox audit, and quarantine-log telemetry needed for incident reconstruction.
  • Centralize logs and protect them from alteration or deletion to preserve investigation and compliance evidence.
  • Review privileged access to email administration and local systems where Outlook data stores or quarantine logs may be modified.
  • Test incident response procedures for mailbox deletion, export-request manipulation, and suspected email evidence tampering.
Analyst notes and limits

This object is an ATT&CK detection analytic, not a technique. The tactic is not specified, and no relationships were supplied, so the take is intentionally framed around defensive validation rather than adversary intent or attribution. The strongest local validation will come from confirming actual email platform logging, PowerShell visibility, endpoint file telemetry, and quarantine-log retention.

The official detection field is not provided, and the relationship context is empty. The object only specifies Windows as a platform and gives example behaviors; it does not provide detection logic, data-source requirements, false-positive guidance, affected products, or evidence of active exploitation.

Official MITRE ATT&CK definition

Analytic 0737

Detects mailbox manipulation or deletion via PowerShell (e.g., Remove-MailboxExportRequest), file deletion from Outlook data stores (Unistore.db), or tampering with quarantined mail logs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c3c4d94f9e383876...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c3c4d94f9e38…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0737
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use