MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Email Manipulation

Modify the flow or contents of email.

Email flow manipulation includes changing which mail appliances process mail flows, to which systems they forward mail, or moving mail after it arrives in an inbox. Email content manipulation includes altering the contents of an email message.

ID: DTE0019
Tactics:  Collect Detect Disrupt


DOS0017 A phishing email can be detected and blocked from arriving at the intended recipient.

Use Cases

DUC0015 A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.


DPR0036 Modify the destination of inbound email to facilitate the collection of inbound spearphishing messages.
DPR0064 Modify the contents of an email message to maintain continuity when it is used for adversary engagement purposes.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1566 Phishing Initial Access