AN1361: Analytic 1361

Monitor for anomalous access to financial applications, browser-based banking sessions, or enterprise ERP systems from Windows endpoints. Detect mass emailing of payment instructions, sudden rule changes in Outlook for financial staff, or use of clipboard data exfiltration tied to cryptocurrency wallet addresses.

EnterpriseAN1361AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN1361 is a Windows-focused detection analytic for spotting suspicious activity around financial workflows: access to banking or ERP systems, mass payment-instruction emails, Outlook rule changes for finance users, and clipboard activity involving cryptocurrency wallet addresses. Its business value is that it highlights behaviors that can directly affect payment integrity, fraud response, and auditability of finance operations.

Executive priority

Treat this as a control-validation prompt for financial operations resilience. Leaders should ask whether the organization can see and investigate unusual finance-application access, email behavior from payment-authorized staff, mailbox rule changes, and endpoint clipboard activity where appropriate. The priority is not just malware detection; it is proving that SOC, identity, email, endpoint, and finance-process evidence can support rapid decisions during suspected payment fraud or business email compromise scenarios.

Technical view

For Windows endpoints, validate whether monitoring exists for anomalous access to financial applications, browser-based banking sessions, and enterprise ERP systems. Pair endpoint evidence with email and identity context for finance staff, especially mass emailing of payment instructions and sudden Outlook rule changes. Where clipboard monitoring is available and legally/operationally approved, assess whether cryptocurrency wallet-address patterns can be correlated with suspicious finance-session activity. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat AN1361 as a detection strategy concept requiring local baselining, role scoping, and false-positive review.

Likely telemetry

Windows endpoint activity logs relevant to browser, application, and clipboard behavior
Browser access logs or endpoint/browser telemetry for banking and ERP sessions
ERP and financial application access logs
Email security or mail-server logs showing mass sending of payment instructions
Microsoft Outlook or mailbox audit logs for rule creation, modification, or deletion

Detection direction

Baseline normal finance-user access to ERP, banking, and payment-related applications before alerting on anomalies.
Monitor for unusual volume or pattern changes in payment-instruction emails, with role-based allowlists and review of legitimate finance campaigns or vendor-payment cycles.
Alert on sudden Outlook rule changes for financial staff, especially rules that redirect, hide, delete, or forward payment-related messages.
Correlate Windows endpoint behavior with email and financial-application access rather than treating each signal in isolation.
If clipboard inspection is used, tune carefully for privacy, legal, and operational constraints; use it as supporting evidence rather than a standalone conclusion.

Mitigation priorities

Prioritize audit logging for finance applications, ERP systems, email platforms, mailbox rules, and finance-user identity events.
Define and maintain a list of finance roles and payment-authorized accounts so monitoring can be scoped and prioritized.
Review mailbox rule governance and alerting for financial staff, including change auditing and investigation procedures.
Strengthen payment-change and payment-instruction verification processes so technical alerts can trigger business-side validation.
Ensure incident response playbooks include finance, legal, IT, identity, email, and endpoint teams for suspected payment-fraud activity.

Analyst notes and limits

The object is a detection analytic, not a technique or threat actor report. The supplied ATT&CK fields identify Windows as the platform and describe monitoring themes around finance applications, browser banking, ERP systems, Outlook rules, mass payment emails, and clipboard exfiltration tied to cryptocurrency wallet addresses. No relationship context, tactic mapping, or official detection logic is provided, so implementation depends on local telemetry, finance-process knowledge, and acceptable-use/privacy requirements.

No official detection logic, ATT&CK tactic, data components, relationships, adversary use, or mitigation mappings were supplied. This take does not infer active exploitation, attribution, or guaranteed coverage. Non-Windows finance activity is outside the stated platform support for this object.

Official MITRE ATT&CK definition

Analytic 1361

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 004824375f5015d1...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`004824375f50…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1361
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use