AN0019: Analytic 0019
Login to M365 or Google Workspace from CLI tools or unexpected source IPs, followed by mailbox or document access
Analyst context for executives and security teams
This analytic matters because it focuses on a common business-risk pattern in cloud office suites: a login to Microsoft 365 or Google Workspace from a command-line tool or unexpected source IP, followed by access to mailboxes or documents. For executives and security leaders, the decision value is whether the organization can quickly distinguish legitimate automation, admin activity, or travel from suspicious access to sensitive communications and files.
Executive priority
Prioritize this as a cloud identity and SaaS visibility question: can the business prove who accessed mail and documents, from where, using what client/tooling, and what they touched afterward? The answer supports incident triage, audit evidence, and resilience planning for email and document platforms that often contain sensitive operational, legal, financial, and customer data.
Technical view
SOC and detection teams should validate whether Office Suite telemetry can correlate authentication events to subsequent mailbox or document access. The analytic scope is limited to Microsoft 365 or Google Workspace-style activity from CLI tools or unexpected source IPs followed by access to mailboxes or documents. Because no official detection logic is provided, teams should define local baselines for expected source IP ranges, approved automation, service accounts, admin tooling, and normal access patterns before alerting on deviations.
Likely telemetry
- Cloud office suite sign-in logs for Microsoft 365 or Google Workspace
- Client application or user-agent indicators showing CLI or nonstandard tooling where available
- Source IP address, geolocation, ASN, and network context for authentication events
- Mailbox access audit logs
- Document/file access audit logs
Detection direction
- Correlate suspicious or unexpected Office Suite login characteristics with later mailbox or document access rather than treating sign-in anomalies alone as conclusive.
- Maintain allowlists or baselines for approved CLI-based administration, synchronization, automation, and service accounts to reduce false positives.
- Define what counts as an unexpected source IP using organization-specific context such as corporate egress ranges, VPNs, managed devices, cloud automation locations, and known partner access.
- Tune for sequence and proximity: login event first, followed by mailbox or document access within a defensible time window.
- Check for telemetry gaps where user-agent, client application, source IP, or file/mailbox audit data is missing or delayed.
Mitigation priorities
- Ensure audit logging is enabled and retained for cloud office sign-ins, mailbox access, and document access.
- Inventory approved CLI tools, automation workflows, service accounts, and administrative access paths for Office Suite environments.
- Harden identity controls around cloud office access, especially for accounts with mailbox, document, or administrative privileges.
- Review conditional access or equivalent access policies so unexpected networks, unmanaged contexts, or nonstandard clients receive appropriate scrutiny.
- Document response playbooks for suspicious SaaS login followed by content access, including account review, session investigation, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique. It names Office Suite as the platform and describes a behavioral sequence involving M365 or Google Workspace login from CLI tools or unexpected source IPs followed by mailbox or document access. No relationships, tactics, aliases, or official detection text were supplied, so the practical value is in validating telemetry correlation and local definitions of expected versus unexpected access.
This take is constrained to the official supplied fields and external reference. It does not assert active exploitation, attribution, impact, or guaranteed detectability. Local environment details are required to define approved CLI usage, expected source IPs, normal document/mailbox access, and acceptable false-positive thresholds.
Analytic 0019
Login to M365 or Google Workspace from CLI tools or unexpected source IPs, followed by mailbox or document access
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f4c34711b01e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0019Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.