Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0740: Analytic 0740

Detects Exchange Online or on-prem transport rule changes (e.g., header stripping) and mailbox export cleanup via `Remove-MailboxExportRequest`, as well as admin actions via Exchange PowerShell sessions.

EnterpriseAN0740AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0740 is a detection analytic focused on Exchange administrative changes that can affect mail integrity and investigation visibility: transport rule changes such as header stripping, cleanup of mailbox export requests through Remove-MailboxExportRequest, and administrative activity through Exchange PowerShell sessions. For leaders, the value is not simply “detect an Exchange command,” but confirming that email administration is observable enough to support incident response, audit review, and confidence in mail-flow evidence.

Executive priority

Prioritize this analytic where Exchange Online or on-prem Exchange administration is material to business communications, legal discovery, fraud investigations, or compliance evidence. Transport rule and mailbox export activity can affect what mail is delivered, what headers remain available for investigation, and whether export-related artifacts remain visible. Security leaders should ask whether Exchange administrative actions are logged, retained, reviewed, and tied to accountable identities before an incident requires reconstruction.

Technical view

SOC and detection teams should validate visibility into Exchange transport rule modifications, Remove-MailboxExportRequest usage, and Exchange PowerShell administrative sessions on the Office Suite platform. Because no official detection logic is supplied, teams should build or review analytics around administrative audit events, PowerShell session records, and configuration-change logs, then baseline expected administrator behavior. IR teams should ensure they can correlate transport rule changes and mailbox export cleanup with the responsible account, source session, time window, and related mailbox or organization-level configuration changes.

Likely telemetry

  • Exchange administrative audit logs for transport rule creation, modification, and removal
  • Exchange Online or on-prem Exchange PowerShell session activity
  • Command execution records involving Remove-MailboxExportRequest
  • Mail-flow or transport rule configuration change history
  • Administrator identity, role, source IP/device, and session metadata

Detection direction

  • Validate that Exchange transport rule changes are captured, especially changes affecting message headers or mail-flow handling.
  • Monitor Remove-MailboxExportRequest activity and correlate it with prior mailbox export requests, administrative identity, and business justification.
  • Review Exchange PowerShell administrative sessions for sensitive configuration and mailbox export-related commands.
  • Tune for authorized change windows and known administrator workflows to reduce false positives while preserving high-risk command visibility.
  • Check blind spots: missing Exchange audit logging, insufficient retention, unmanaged on-prem Exchange logs, shared admin accounts, and inability to link PowerShell sessions to individual operators.

Mitigation priorities

  • Ensure Exchange administrative auditing is enabled and retained for both cloud and on-prem environments in scope.
  • Restrict Exchange administrative roles to least privilege and require accountable, individual administrator identities.
  • Require change control or approval evidence for transport rule modifications and mailbox export cleanup actions.
  • Protect administrative access with strong identity controls and review privileged Exchange PowerShell usage.
  • Include Exchange mail-flow and mailbox export artifacts in incident response collection and compliance evidence procedures.
Analyst notes and limits

This object is a MITRE ATT&CK detection analytic, AN0740, for Office Suite environments. The official description specifically names Exchange Online or on-prem transport rule changes, Remove-MailboxExportRequest, and Exchange PowerShell administrative actions. No relationships, tactics, aliases, or official detection text were supplied, so the take focuses on defensive validation and telemetry requirements rather than a mapped intrusion chain.

The source does not provide detection logic, data component mappings, ATT&CK tactics, related techniques, procedures, or adversary context. Local Exchange architecture, audit configuration, retention, and identity model are required to determine actual coverage and risk priority.

Official MITRE ATT&CK definition

Analytic 0740

Detects Exchange Online or on-prem transport rule changes (e.g., header stripping) and mailbox export cleanup via `Remove-MailboxExportRequest`, as well as admin actions via Exchange PowerShell sessions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
672b7460eb482611...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 672b7460eb48…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0740
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use