How Email Security Can Align to the MITRE ATT&CK Framework

In our previous post, What is the MITRE ATT&CK Matrix, we explained what the matrix is and how it should be used to understand the documented adversarial techniques and tactics that cyber-criminals and attackers use during a cyber-attack. The MITRE ATT&CK Matrix is often used to assess cyber-risks and companies can actually go further in their security approach by addressing the attack ranges in the matrix.

In this post, we will discuss how GreatHorn leverages email security to address the MITRE ATT&CK Framework. Having an effective email security plan in place, organizations can do much more than simply control phishing attacks.

Below is a subset of areas where GreatHorn offers email security solutions and capabilities that provide compensating controls against the techniques and tactics within the MITRE ATT&CK Framework. For ease, we’ve included descriptions of the characteristics of the attack as well as common mitigations adapted from the matrix.

Matrix Category: Reconnaissance

Attack Type: Phishing for Information


  • Attackers send emails to users to elicit sensitive information.
  • Phishing typically leverages social engineering – such as masquerading as someone with a legitimate reason to collect data – to gain user trust.
  • The goal is to trick targets into divulging information such as user credentials.
  • Phishing that targets a specific individual is called “spear phishing.”

Common Mitigations

  • User training– Teaches users to recognize social engineering and phishing emails

GreatHorn Protections

GreatHorn Mailbox Intelligence can inform users of the likelihood that the sender or the sender’s organization is authentic. We can also alert users of suspicious email content or automatically quarantine suspicious email. These controls can be customized to reflect each organization’s risk appetite.

Matrix Category: Initial Access

Attack Type: Phishing


  • Attackers send emails to users to solicit sensitive information or gain access to systems.
  • Emails typically contain malicious links or attachments that execute malicious code or capture credentials such as passwords.
  • Spear phishing targets specific individuals.
  • Phishing can also be carried out through social media.

Common Mitigations

  • Antivirus (AV) software– Automatically quarantines suspicious files
  • Network-intrusion prevention– Scans and removes malicious attachments and blocks suspicious links
  • Restriction of web content– Blocks access to websites and attachment types, such as .exe and .scr, determined not to be necessary for business operations
  • User training– Teaches users to recognize social engineering and phishing emails

GreatHorn Protections

GreatHorn delivers multiple layers of phishing detection, including message-header analysis, relationship analysis, file scanning and link rewriting. Because phishing primarily uses links, we offer multiple layers of link-focused defenses. We analyze links against proprietary and third-party threat intelligence on delivery and again on user click. On user click, we inspect the destination website with machine vision to detect credential-harvesting forms.

Matrix Category: Persistence

Attack Type: Account Manipulation


  • Attackers that already have access to victim accounts modify credentials or permission groups to maintain access to victim systems.
  • Actions are typically designed to subvert security policies, such as iteratively updating passwords to bypass password-duration rules.

Common Mitigations

  • Multifactor authentication– Requires multiple forms of verification for user and privileged accounts
  • Network segmentation– Configures access controls and firewalls to limit access to crucial systems and domain controllers
  • Operating-system (OS) configuration– Protects domain controllers by setting crucial servers to limit access by potentially unnecessary protocols and services
  • Privileged-account management– Prevents domain-administrator accounts from being used for day-to-day operations

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly home in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten-password emails, and one-time-use tokens or sign-in links that many systems use to restore user access.

GreatHorn can further mitigate risk across 10 techniques.  To learn how effective email security can address the various attack types in the MITRE ATT&CK Framework, download the whitepaper: Defending Against More Than Phishing Attacks.

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.