DET0192: Detection Strategy for Email Hiding Rules
This detection strategy is tied to Email Hiding Rules, a stealth behavior where adversaries may create or modify mailbox rules to move, mark read, or delet...
Analyst context for executives and security teams
This detection strategy is tied to Email Hiding Rules, a stealth behavior where adversaries may create or modify mailbox rules to move, mark read, or delete incoming messages in a compromised user’s mailbox. For leaders, the practical issue is not just email misuse; it is loss of visibility during an incident. Hidden security alerts, password reset messages, financial approvals, or response communications can delay containment and create audit questions about whether mailbox activity was monitored.
Executive priority
Prioritize this as an identity, email security, and incident-response readiness issue. Executives should ask whether the organization can quickly prove who created or changed mailbox rules, when it happened, and whether suspicious rules affected business-critical users. Because the ATT&CK detection strategy object provides no official detection text, coverage should be validated locally rather than assumed from the existence of an ATT&CK entry.
Technical view
Validate monitoring around the related technique T1564.008, Email Hiding Rules, which applies to Office Suite environments and may involve Windows, Linux, or macOS clients. SOC and IR teams should focus on mailbox rule creation and modification events, especially rules that move messages to unusual folders, mark messages as read, delete messages, or otherwise reduce user visibility. Where available, review administrative or scripting-based rule changes, including activity consistent with mailbox-rule management through PowerShell cmdlets referenced by the related technique.
Likely telemetry
- Mailbox audit logs for inbox rule creation, modification, deletion, and execution
- Email platform administrative audit logs
- Identity and sign-in logs for the affected mailbox owner and administrators
- Endpoint or command telemetry where mailbox rules may be managed from clients or scripts
- Message trace or mail-flow evidence showing messages moved, deleted, or not visible in the inbox
Detection direction
- Inventory which email platforms and mailbox types actually produce mailbox-rule audit events and whether those logs are retained long enough for investigations.
- Tune for suspicious rule properties such as auto-delete, mark-as-read, forwarding or moving security-related messages, or rules created soon after unusual account access.
- Correlate mailbox rule changes with identity events, including new device, unusual location, or administrative access, to reduce false positives from legitimate user-created rules.
- Validate visibility into rule changes made through clients, administrative consoles, and scripting interfaces; do not assume one logging source covers all paths.
- Create investigation procedures for high-value mailboxes, executives, finance, help desk, and incident-response accounts where hidden email can materially affect business operations.
Mitigation priorities
- Ensure mailbox auditing and administrative audit logging are enabled and retained for investigation and compliance needs.
- Limit and monitor privileged ability to manage mailbox rules across users.
- Use identity controls such as strong authentication and conditional access where available to reduce the likelihood of mailbox compromise.
- Establish review processes for unusual or high-risk inbox rules on sensitive accounts.
- Include mailbox-rule review in incident-response playbooks for suspected account compromise.
Analyst notes and limits
The supplied ATT&CK detection strategy object has no official description, detection text, tactics, or platforms of its own. The practical guidance is derived from its explicit relationship to T1564.008 Email Hiding Rules and that related technique’s supplied description, tactics, and platforms.
This take does not assert active exploitation, actor attribution, customer exposure, or guaranteed detection coverage. Local email platform capabilities, audit configuration, retention, and identity telemetry determine whether this behavior can be detected or investigated.
Detection Strategy for Email Hiding Rules
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1564.008 | Email Hiding Rules Sub-technique | This object detects Email Hiding Rules. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 97c84cc0fb1d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0192Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.