AN1913: Analytic 1913

Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[1] For added context on adversary procedures and background see Spearphishing Attachment. Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content. Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.[2][3] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.

ICSAN1913AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1913 is a detection analytic focused on early warning signs that a malicious email attachment has moved from inbox delivery into endpoint execution. Its business value is in validating whether the organization can connect email security evidence, attachment/file creation, Office or productivity-software child processes, command-line activity, network traffic, and anti-spoofing results into one defensible investigation path.

Executive priority

Prioritize this analytic as a control-validation question: can the business prove that suspicious attachments, spoofed sender indicators, and abnormal post-open execution are visible quickly enough to support containment decisions? This matters for incident response readiness, email security governance, audit evidence around SPF/DKIM-style controls, and reducing disruption from phishing-driven initial access scenarios referenced by ATT&CK as Spearphishing Attachment.

Technical view

SOC and detection teams should validate correlation across mail/proxy logs, web proxy inspection, anti-virus or attachment scan results, endpoint process telemetry, command-line telemetry, and network connections initiated by files or applications that do not normally communicate over those protocols. The description specifically calls out suspicious descendant processes from Microsoft Office and other productivity software, newly constructed files associated with spearphishing attachments, suspicious email attachments in network traffic, and sender spoofing evidence such as failed DKIM/SPF validation or mismatched headers.

Likely telemetry

Mail server logs, including sender, header, attachment, and delivery metadata
Proxy or web security logs capable of reviewing email content, headers, and attachments where available
Email authentication results such as SPF, DKIM, and anti-spoofing validation outcomes
Endpoint process creation events showing parent-child relationships from Office or productivity software
Command-line arguments for anomalous process execution

Detection direction

Validate that Office and productivity-software child process detections are tuned for suspicious descendants rather than alerting on every legitimate automation or helper process.
Correlate attachment delivery, file creation, process execution, command line, and network activity to reduce false positives and improve triage confidence.
Review whether spoofing indicators, including failed DKIM/SPF validation and mismatched headers, are retained and searchable during investigations.
Test whether proxy and mail telemetry can support attachment-focused investigations without depending on a single control layer such as anti-virus.
Identify blind spots where email logs, endpoint process telemetry, or network logs are not linked by user, host, file, message, or time window.

Mitigation priorities

Ensure email authentication and anti-spoofing controls are configured and produce auditable logs.
Maintain attachment scanning at the email server and endpoint where applicable.
Prioritize endpoint visibility for process parent-child relationships, command lines, file creation, and network connections.
Build SOC playbooks that join email, proxy, endpoint, and anti-virus evidence for suspected malicious attachments.
Use local baselines for productivity software behavior to distinguish expected business workflows from anomalous execution patterns.

Analyst notes and limits

The supplied ATT&CK object is an ICS-domain detection analytic, but it does not specify platforms, tactics, or relationships. The strongest supported interpretation is a cross-telemetry detection strategy for spearphishing attachment activity and suspicious post-attachment execution, especially Office or productivity-software descendant processes and email spoofing evidence.

Official detection content is not provided, and no relationship context, platforms, or tactics are supplied. Local validation is required to determine which email systems, proxies, endpoint sensors, anti-virus tools, and logging pipelines can actually provide the evidence described.

Official MITRE ATT&CK definition

Analytic 1913

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: b7b771017659a029...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`b7b771017659…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Elastic - Koadiac Detection with EQL

Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.
Open source URL
[2]
Microsoft Anti Spoofing

Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
Open source URL
[3]
ACSC Email Spoofing

Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
Open source URL
[4]
mitre-attack AN1913
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use