AN1365: Analytic 1365

Monitor email and document management systems for fraudulent invoices, impersonation of vendors, or BEC-style payment redirections. Detect abnormal editing of invoice templates, or emails containing known fraud language combined with attachment delivery.

EnterpriseAN1365AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

Analytic 1365 is focused on spotting invoice fraud and business email compromise patterns in Office Suite environments, especially vendor impersonation, fraudulent invoices, payment redirection language, suspicious attachments, and abnormal edits to invoice templates. Its business value is that these events often sit between security, finance, legal, and vendor-management workflows; detection depends as much on email/document visibility and payment-process validation as on traditional SOC alerting.

Executive priority

Prioritize this analytic where invoice processing, vendor payments, or shared document workflows create material financial and operational risk. Leaders should ask whether the organization can prove who changed invoice templates, which emails introduced payment-change requests, and whether finance teams have an escalation path before funds are released. This is also useful as compliance and audit evidence for controls around payment authorization, fraud monitoring, and separation of duties, but local process evidence is required because ATT&CK provides no guaranteed detection logic here.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring across email and document management systems on the Office Suite platform. The analytic points to combined signals: emails with fraud-like payment redirection language, vendor impersonation indicators, attachment delivery, fraudulent invoice themes, and abnormal editing of invoice templates. Because no official detection logic is provided, teams should translate this into environment-specific content using mail metadata, attachment events, document edit history, template access patterns, sender/domain context, and finance workflow outcomes. Tuning should account for legitimate vendor onboarding, bank-detail updates, invoice template maintenance, and finance mailbox automation.

Likely telemetry

Email gateway or mailbox logs for sender, recipient, subject, attachment, and delivery metadata
Email content inspection results where legally and operationally permitted, especially payment redirection or invoice-fraud language indicators
Attachment metadata and detonation or scanning results for invoice-related files
Document management audit logs for invoice template creation, editing, sharing, download, and permission changes
Office Suite identity and access logs tied to users editing or sending invoice-related documents

Detection direction

Validate that email and document management telemetry can be correlated by user, vendor, mailbox, attachment, and document/template identity.
Build detections around combinations of weak signals rather than single keywords: payment-change language plus attachment delivery, vendor impersonation plus invoice theme, or unusual invoice-template edits plus external sharing.
Tune false positives for legitimate finance operations such as vendor bank-detail updates, scheduled invoice template revisions, mass invoicing, and third-party billing platforms.
Review blind spots where content inspection is limited by privacy rules, encrypted attachments, unmanaged mail clients, external collaboration links, or incomplete document audit logging.
Ensure alerts route to a workflow that can pause or verify payment activity; a technically accurate alert has limited value if finance cannot act before release of funds.

Mitigation priorities

Confirm that Office Suite email and document audit logging is enabled and retained long enough to support fraud investigations.
Strengthen finance process controls for vendor payment changes, including out-of-band verification and approval separation where applicable.
Restrict and monitor who can edit invoice templates or shared billing documents, especially templates used across departments or vendor workflows.
Define SOC-to-finance escalation procedures for suspected BEC or invoice fraud so detection can lead to timely payment holds or verification.
Use incident response playbooks that preserve email, attachment, document history, and related identity activity for legal, audit, and recovery needs.

Analyst notes and limits

The supplied object is a detection analytic, not a technique, and has no tactics or relationship context. The strongest defensive interpretation is therefore control validation: confirm that email, document management, identity, and finance-process evidence can be joined to investigate suspected invoice fraud or BEC-style payment redirection in Office Suite environments.

Official detection logic is not provided, and no relationships, groups, software, campaigns, procedures, or mitigations are supplied. This take should not be read as evidence of active exploitation, attribution, guaranteed coverage, or applicability beyond Office Suite platforms. Local legal, privacy, finance workflow, and telemetry constraints will determine feasible detection depth.

Official MITRE ATT&CK definition

Analytic 1365

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: a0624e900e2bfe4f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`a0624e900e2b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1365
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use