Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1205: Analytic 1205

Correlates Office 365 or Google Workspace audit logs for spoofed sender addresses, failed email authentication, and anomalies in message delivery metadata. Defender observes failed SPF/DKIM checks and domain mismatches tied to suspicious campaigns.

EnterpriseAN1205AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Analytic 1205 is about using Office 365 or Google Workspace audit evidence to spot email campaigns where the sender identity does not line up with authentication and delivery metadata. For leaders, the value is not simply “detect spoofing”; it is confirming whether the organization can prove when a suspicious message failed SPF/DKIM, used mismatched domains, or showed unusual delivery characteristics before users act on it.

Executive priority

Prioritize this analytic where email is a major path for fraud, credential theft, business email compromise, or audit-sensitive communications. The business question is whether security teams can quickly validate suspicious sender identity across cloud email logs and produce defensible evidence for incident response, user notification, and compliance inquiries. Investment should focus on reliable audit-log collection, retention, and correlation across Office Suite environments rather than assuming the email gateway alone provides enough context.

Technical view

This analytic applies to Office Suite platforms and correlates Office 365 or Google Workspace audit logs for spoofed sender addresses, failed email authentication, and anomalies in message delivery metadata. SOC and detection teams should validate that they can observe failed SPF and DKIM checks, domain mismatches, and message-delivery metadata tied to suspicious campaigns. Because no ATT&CK tactic or formal detection logic is supplied, local implementation must define correlation windows, sender/domain mismatch rules, and campaign grouping criteria.

Likely telemetry

  • Office 365 audit logs, where applicable
  • Google Workspace audit logs, where applicable
  • Email authentication results such as SPF and DKIM outcomes
  • Sender address and sending-domain metadata
  • Message delivery metadata

Detection direction

  • Confirm that cloud email audit logs are enabled, retained, searchable, and normalized enough to correlate sender identity, authentication results, and delivery metadata.
  • Tune for combinations of failed SPF/DKIM checks, sender-domain mismatches, and abnormal delivery metadata rather than single weak indicators alone.
  • Review false positives from legitimate third-party senders, forwarding services, mailing platforms, and misconfigured domains.
  • Validate whether detections preserve enough evidence for incident response decisions, including affected recipients, message identifiers, authentication outcomes, and delivery status.
  • Document blind spots where email traffic, forwarding, or external security tooling prevents complete audit visibility.

Mitigation priorities

  • Ensure Office Suite audit logging is enabled and retained for the period required by incident response and compliance needs.
  • Harden and regularly review email authentication configuration and domain alignment practices for organizational domains.
  • Create operational playbooks for triaging spoofed-sender and failed-authentication alerts, including user notification and message search/removal decisions where supported locally.
  • Maintain an exception process for legitimate senders that fail or complicate authentication so detection tuning does not become ad hoc.
  • Use periodic control validation to confirm that suspicious messages can be traced from authentication result to recipient impact.
Analyst notes and limits

This object is a detection analytic, not an ATT&CK technique. It provides a high-level description for correlating Office 365 or Google Workspace audit logs around spoofed sender addresses, failed SPF/DKIM checks, domain mismatches, and delivery metadata anomalies. No relationship context, tactic mapping, or official detection logic was supplied, so implementation details must come from local email architecture and log availability.

The supplied ATT&CK fields do not include tactics, relationships, aliases, labels, or a formal detection specification. This take should not be read as evidence of active exploitation, attribution, guaranteed detection, or coverage beyond Office Suite environments represented by Office 365 or Google Workspace audit-log concepts in the description.

Official MITRE ATT&CK definition

Analytic 1205

Correlates Office 365 or Google Workspace audit logs for spoofed sender addresses, failed email authentication, and anomalies in message delivery metadata. Defender observes failed SPF/DKIM checks and domain mismatches tied to suspicious campaigns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2feb4cf8c03432e9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2feb4cf8c034…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1205
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use