AN1010: Analytic 1010

Detect abnormal use of email clients (e.g., Outlook, Thunderbird) showing mass arrival of messages or repetitive attachments being locally stored. Correlate message volume with file creation activity in mail cache directories.

EnterpriseAN1010AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about spotting unusual email-client behavior on office-suite endpoints: unusually high message arrival volume combined with repeated local storage of attachments in mail cache directories. For security leaders, the value is early visibility into email-driven activity that may create operational risk before users or systems report a larger incident.

Executive priority

Prioritize this where email clients are important to business operations and where incident response depends on proving what arrived, what was cached locally, and when files were created. The leadership question is whether SOC and IR teams can correlate mail volume with endpoint file-creation evidence quickly enough to support containment decisions, user-risk triage, and audit-ready incident timelines.

Technical view

For Office Suite environments, validate whether telemetry can link abnormal email-client activity, such as mass message arrival in Outlook or Thunderbird, with repeated attachment file creation in local mail cache directories. Because ATT&CK does not provide a separate detection implementation here, teams should define local baselines for normal message volume, attachment frequency, and cache-directory write behavior, then tune for deviations that are meaningful in their environment.

Likely telemetry

Email client activity or mailbox/message-arrival metadata
Endpoint file creation events
File path evidence for local mail cache directories
Attachment filename, hash, size, or extension metadata where available
Host, user, and timestamp correlation between message arrival and file creation

Detection direction

Confirm that endpoint logging captures file creation in relevant mail cache directories for supported email clients.
Correlate spikes in message arrival volume with repetitive attachment writes rather than alerting on either signal alone.
Baseline high-volume users or shared mailboxes to reduce false positives from legitimate business workflows.
Validate timestamp consistency between email events and local file creation events for incident timelines.
Document blind spots where email client telemetry, cache-directory paths, or attachment metadata are not collected.

Mitigation priorities

Ensure email and endpoint telemetry needed for correlation is enabled and retained for investigation.
Define normal message and attachment-volume baselines for priority users, departments, and shared mailboxes.
Create SOC triage guidance for reviewing suspicious cache-directory file creation tied to abnormal email arrival patterns.
Use findings to support broader email security, endpoint monitoring, and incident response readiness improvements without assuming this analytic alone provides full coverage.

Analyst notes and limits

This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify the platform as Office Suite and describe the intended analytic logic, but no tactics, related techniques, or relationship context were provided. Treat it as a coverage-validation prompt for email-client and endpoint telemetry correlation.

Official detection content is not provided, and no ATT&CK relationships are supplied. Local email client configuration, cache paths, logging availability, retention, and normal business mail patterns must be validated before operationalizing this analytic.

Official MITRE ATT&CK definition

Analytic 1010

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: ce6bddba9d940a62...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`ce6bddba9d94…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1010
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use