AN1997: Analytic 1997

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[1][2] Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

EnterpriseAN1997AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1997 is a detection analytic focused on finding unusual communications before they become accepted as normal: uncommon network flows, processes that unexpectedly communicate over the network, suspicious email sender patterns, spoofing indicators, and protocol traffic that does not match expected structure or flow. For leaders, its value is in validating whether the organization can spot abnormal inbound or internal communications early enough to support SOC triage and incident response decisions.

Executive priority

Prioritize this analytic as a coverage validation question rather than a single rule: do security teams have enough network, email, authentication-adjacent, and endpoint context to distinguish normal business communication from unusual sender behavior or anomalous traffic? This matters for resilience because weak visibility into spoofed email, new network talkers, or malformed protocol activity can delay investigation and make audit evidence for monitoring controls harder to produce.

Technical view

SOC and detection teams should validate whether they can monitor uncommon data flows on the PRE platform context supplied by ATT&CK, suspicious email activity such as many accounts receiving messages from an unusual or unknown sender, DKIM/SPF or header-analysis results that may indicate spoofing, and protocol traffic that deviates from expected standards or flow behavior. Where available, correlate network observations with process monitoring and command-line data to determine whether an anomalous process or file is initiating unexpected communications.

Likely telemetry

Network flow records showing source, destination, ports, protocols, volume, and first-seen or rare communication patterns
Packet or protocol inspection metadata for malformed, gratuitous, extraneous, or structurally anomalous traffic
Email security logs showing sender, recipient distribution, header analysis, DKIM/SPF results, and spoofing verdicts
Endpoint process telemetry showing processes initiating network connections
Command-line telemetry associated with processes that generate unusual network activity

Detection direction

Baseline normal network communications so rare or never-before-seen process-to-network behavior can be reviewed without overwhelming analysts.
Tune for unusual sender-to-many-recipient email patterns, especially where sender identity is unknown or inconsistent with DKIM, SPF, or header analysis.
Correlate protocol anomalies with process and command-line context to reduce false positives from benign scanners, misconfigured applications, or unusual but authorized business tools.
Validate visibility gaps: encrypted traffic, limited packet inspection, missing email-header retention, and lack of endpoint process-to-connection linkage can materially weaken this analytic.
Because ATT&CK provides no separate official detection logic, treat this as a detection-engineering design requirement rather than a ready-to-deploy rule.

Mitigation priorities

Confirm email anti-spoofing controls and policy evidence are in place, including SPF/DKIM-informed handling where applicable to the environment.
Strengthen network monitoring coverage for uncommon flows and protocol anomalies before relying on alerting outcomes.
Ensure endpoint telemetry can link network connections to processes and command lines for investigation context.
Document known-good business senders, applications, and network flows to support tuning and reduce alert fatigue.
Use incident response playbooks that triage unusual email campaigns and anomalous network flows with clear escalation criteria.

Analyst notes and limits

The supplied object is a detection analytic, not a technique, and no ATT&CK relationships were supplied. The description combines network anomaly monitoring, email spoofing/sender-pattern analysis, protocol inspection, and endpoint correlation. Local baselines are essential because the analytic depends heavily on what is normal for the organization.

Official detection content is not provided, tactics are not specified, and no related techniques, groups, software, mitigations, or data components were supplied. The platform is listed only as PRE, so broader platform claims should not be inferred. Effectiveness depends on local telemetry quality, baselining maturity, and email/network inspection capabilities.

Official MITRE ATT&CK definition

Analytic 1997

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 353d3de9efff5b59...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`353d3de9efff…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Microsoft Anti Spoofing

Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
Open source URL
[2]
ACSC Email Spoofing

Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
Open source URL
[3]
mitre-attack AN1997
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use