AN1309: Analytic 1309

Correlates creation of email forwarding rules or header anomalies (e.g., X-MS-Exchange-Organization-AutoForwarded) with suspicious process execution, file access of .pst/.ost files, and network connections to external SMTP servers.

EnterpriseAN1309AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because unauthorized or risky email forwarding can turn mailbox access into quiet data loss. The supplied ATT&CK description points to a correlation use case: email forwarding rule creation or auto-forwarding header anomalies combined with Windows-side evidence such as suspicious process execution, access to .pst/.ost mail stores, and outbound connections to external SMTP servers. For leaders, the decision value is whether email, endpoint, and network telemetry can be joined quickly enough to distinguish legitimate mail administration from potential mailbox data exfiltration activity.

Executive priority

Prioritize this as a cross-domain visibility and response-readiness check rather than a standalone alert. Security leaders should ask whether the organization can prove who created forwarding rules, whether auto-forwarded mail is visible in mail headers, whether Windows endpoints expose access to local Outlook data files, and whether outbound SMTP connections to external destinations are governed and investigated. This supports business continuity, compliance evidence around email data handling, and incident decision-making when sensitive communications may have left approved systems.

Technical view

For SOC, detection engineering, and IR teams, validate correlation across the official analytic elements: creation of email forwarding rules, header anomalies such as X-MS-Exchange-Organization-AutoForwarded, suspicious process execution on Windows, file access involving .pst or .ost files, and network connections to external SMTP servers. Because no official detection logic or tactic mapping is supplied, teams should treat this as a detection design pattern and tune it against local mail administration, endpoint behavior, and approved SMTP egress patterns.

Likely telemetry

Email forwarding rule creation and modification events
Email message headers, including auto-forwarding indicators such as X-MS-Exchange-Organization-AutoForwarded
Windows process execution telemetry
File access telemetry for .pst and .ost files
Network connection telemetry showing outbound SMTP activity and external destinations

Detection direction

Validate that email, Windows endpoint, and network events can be correlated by user, host, time window, and destination.
Tune forwarding-rule alerts against known administrative activity, legitimate delegation, mailbox migrations, and sanctioned forwarding workflows.
Review whether header-based auto-forward indicators are retained and searchable in the mail security or logging stack.
Check for blind spots where endpoint telemetry does not capture .pst/.ost access or where network controls do not log direct SMTP egress.
Use external SMTP connections as a prioritization signal, but avoid treating them as conclusive without confirming local business-approved mail flows.

Mitigation priorities

Establish governance for email forwarding rules, including review of who can create them and how changes are logged.
Restrict or monitor outbound SMTP paths that bypass approved mail infrastructure where business requirements allow.
Ensure Windows endpoint logging can support investigation of process execution and access to Outlook data files.
Define an incident response playbook for suspected unauthorized forwarding, including mailbox review, account access review, and scoping of potentially exposed messages.
Maintain audit evidence showing forwarding-rule monitoring, email header visibility, endpoint telemetry coverage, and network egress review.

Analyst notes and limits

The object is a detection analytic for Windows in the enterprise ATT&CK domain. It provides a concise correlation concept but no official detection query, no tactic mapping, and no relationship context. The strongest use is as a validation checklist for cross-domain monitoring between email, endpoint, and network controls.

This take is limited to the supplied ATT&CK fields and the single external reference. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local mail platform configuration, endpoint logging depth, SMTP egress architecture, and business-approved forwarding practices are required to determine practical coverage and alert quality.

Official MITRE ATT&CK definition

Analytic 1309

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: c8eceebe211358dd...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`c8eceebe2113…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1309
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use