AN0793: Analytic 0793
Monitor mail server logs (Postfix, Sendmail, Exim) for anomalous From headers mismatching authenticated SMTP identities. Detect abnormal relay attempts, spoofed envelope-from values, or large-scale outbound campaigns targeting internal users.
Analyst context for executives and security teams
This analytic matters because email infrastructure can become a business-risk amplifier when authenticated users, relay paths, or envelope headers are abused to send spoofed or large-scale internal mail. For leaders, the value is not simply “monitor mail logs”; it is confirming whether the organization can prove who authenticated, what sender identity was used, whether relay behavior was expected, and whether internal users were targeted at scale.
Executive priority
Prioritize this where Linux-based mail servers such as Postfix, Sendmail, or Exim support business-critical communications, internal notifications, or regulated workflows. The key executive question is whether security and IT teams have enough mail-server evidence to distinguish legitimate delegated sending from spoofing, abnormal relay use, or suspicious outbound campaigns. This supports incident decision-making, audit evidence around email control operation, and operational resilience if mail infrastructure is abused.
Technical view
Validate collection and parsing of Linux mail server logs for authenticated SMTP identity, From header, envelope-from, relay source/destination, recipient volume, and outbound campaign patterns. Because no ATT&CK tactic, relationship context, or separate detection logic is supplied, teams should treat AN0793 as a detection validation prompt: can the SOC correlate authenticated identity to message headers and relay behavior, and can IR reconstruct message flow from logs when spoofing or abnormal outbound activity is suspected?
Likely telemetry
- Postfix, Sendmail, or Exim mail server logs from Linux systems
- Authenticated SMTP username or identity fields
- Message From header values
- Envelope-from / return-path values
- Relay attempt records and relay source information
Detection direction
- Baseline normal authenticated sending patterns and expected From/header delegation to reduce false positives from legitimate shared mailboxes, applications, or automated senders.
- Alert on mismatches between authenticated SMTP identity and From header or envelope-from where no approved delegation or application pattern exists.
- Review abnormal relay attempts, especially unexpected relay sources or repeated failures/successes outside normal mail flow.
- Look for large-scale outbound campaigns targeting internal users, using thresholds appropriate to the organization’s normal mail volume.
- Confirm logs retain message IDs and identity fields long enough for SOC triage and incident response reconstruction.
Mitigation priorities
- Ensure Linux mail servers generate and retain sufficiently detailed SMTP authentication, header, envelope, relay, and delivery logs.
- Define approved sender delegation and application-sending patterns so detection can separate legitimate mismatches from suspicious ones.
- Restrict and review relay permissions to reduce unauthorized or unexpected relay behavior.
- Tune monitoring thresholds for outbound volume and internal-recipient campaigns based on business-normal mail patterns.
- Document evidence collection and review procedures so findings can support incident response and compliance readiness.
Analyst notes and limits
AN0793 is a detection analytic, not a technique or adversary behavior entry. The supplied object provides a monitoring objective for Linux mail server logs and names Postfix, Sendmail, and Exim as examples. No ATT&CK relationships, tactics, aliases, or detailed detection implementation are supplied, so local mail architecture and approved sending patterns are essential for meaningful tuning.
This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Environments using cloud-native mail platforms, external secure email gateways, or application mail services may require additional telemetry not specified in the object.
Analytic 0793
Monitor mail server logs (Postfix, Sendmail, Exim) for anomalous From headers mismatching authenticated SMTP identities. Detect abnormal relay attempts, spoofed envelope-from values, or large-scale outbound campaigns targeting internal users.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0176c060e326… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0793Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.