Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0792: Analytic 0792

Monitor for anomalous email activity originating from Windows-hosted applications (e.g., Outlook) where the sending account name or display name does not match the underlying SMTP address. Detect abnormal volume of outbound messages containing sensitive keywords (e.g., 'payment', 'wire transfer') or anomalous login locations for accounts associated with email sending activity.

EnterpriseAN0792AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting suspicious outbound email behavior from Windows-hosted mail applications such as Outlook, especially when the sender’s visible name does not match the SMTP address, message volume is abnormal, messages contain sensitive payment-related terms, or the sending account has unusual login-location context. For leaders, the value is not just email monitoring; it is validating whether the organization can quickly identify potentially misleading or high-risk email activity before it affects payment workflows, executive trust, or incident response timelines.

Executive priority

Prioritize this as an email, identity, and SOC readiness control. It helps answer whether the organization has evidence to investigate suspicious outbound email activity involving payment or wire-transfer language, account identity inconsistencies, and anomalous access patterns. Because the ATT&CK object provides no formal detection logic and no relationship context, leaders should treat it as a validation prompt: confirm whether Windows mail application telemetry, email metadata, and account login context are collected, correlated, retained, and usable during an incident or audit.

Technical view

For SOC and detection engineering teams, validate monitoring around Windows-hosted email applications, including Outlook where present. The core behavior to test is mismatch between sending account name or display name and the underlying SMTP address, abnormal outbound message volume, sensitive keywords such as payment or wire transfer, and anomalous login locations tied to accounts sending email. Since the official detection field is not provided and tactics are not specified, local implementation should define baselines, thresholds, and exception handling rather than assuming a complete MITRE detection recipe exists.

Likely telemetry

  • Windows-hosted email application activity, where available
  • Outbound email metadata including sender display name, account name, SMTP address, recipient counts, and send volume
  • Message subject/body or data-loss-prevention style keyword indicators where policy and privacy requirements allow
  • Authentication and login-location records for accounts associated with email sending
  • Account identity directory attributes used to compare expected names and addresses

Detection direction

  • Validate correlation between outbound email metadata and identity attributes so display-name/account-name mismatches can be reviewed against the actual SMTP address.
  • Baseline normal outbound email volume per account, role, or mailbox type before alerting on abnormal send bursts.
  • Treat sensitive keywords such as payment and wire transfer as risk signals, not standalone proof of malicious activity, to reduce false positives from finance, procurement, legal, or executive workflows.
  • Correlate sending activity with anomalous login-location context when such identity telemetry is available.
  • Define allowlists or business exceptions for shared mailboxes, aliases, delegated senders, service accounts, and legitimate display-name changes.

Mitigation priorities

  • Ensure email, identity, and Windows application telemetry required for this analytic is collected and retained long enough for investigation.
  • Standardize identity attributes for mail-enabled accounts so display-name and SMTP-address comparisons are reliable.
  • Review governance for aliases, shared mailboxes, delegated sending, and display-name changes to reduce ambiguous alerts.
  • Use account access controls and login monitoring to support investigation of anomalous locations associated with email sending.
  • Document investigation procedures for suspicious outbound payment-related email activity, including escalation paths for finance or business-process owners.
Analyst notes and limits

This is a detection analytic object, not a technique or software object. It is scoped to Windows platforms and describes monitoring suspicious email activity from Windows-hosted applications, with Outlook provided as an example. No ATT&CK relationships were supplied, and tactics are listed as not specified, so the take focuses on defensive validation rather than mapping to a specific adversary behavior chain.

The official detection field is not provided, and there are no supplied relationships to techniques, groups, campaigns, mitigations, or data sources. Any production detection requires local decisions about available email content inspection, privacy constraints, identity data quality, baselines, and false-positive handling. This summary does not claim active exploitation, attribution, or existing detection coverage.

Official MITRE ATT&CK definition

Analytic 0792

Monitor for anomalous email activity originating from Windows-hosted applications (e.g., Outlook) where the sending account name or display name does not match the underlying SMTP address. Detect abnormal volume of outbound messages containing sensitive keywords (e.g., 'payment', 'wire transfer') or anomalous login locations for accounts associated with email sending activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d9fd772b987d1ec2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d9fd772b987d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0792
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use