AN0028: Analytic 0028
Correlates Power Automate or similar logic app workflows triggered by SaaS file uploads or email rules with data forwarding or anomalous access patterns.
Analyst context for executives and security teams
This analytic matters because SaaS automation can quietly move data when file uploads, email rules, or workflow triggers are abused or misconfigured. For leaders, the decision point is whether cloud and SaaS monitoring can connect automation activity to unusual forwarding or access behavior before it becomes a data governance, incident response, or compliance problem.
Executive priority
Prioritize this where the business relies on SaaS platforms, shared file repositories, email, and low-code workflow automation. Security leaders should ask whether SaaS workflow creation, file-upload triggers, email-rule changes, data forwarding, and anomalous access are logged centrally and reviewable during an incident. The value is not a single alert; it is proving that the organization can trace automated data movement across SaaS services and support audit or breach-assessment decisions.
Technical view
AN0028 is a SaaS-focused detection analytic that correlates Power Automate or similar logic-app workflows triggered by SaaS file uploads or email rules with downstream data forwarding or anomalous access patterns. SOC and detection teams should validate whether SaaS audit logs, workflow/run history, email rule events, file activity, forwarding events, and access telemetry can be joined by user, application, workflow, file, mailbox, timestamp, and destination. No ATT&CK tactic or separate official detection logic is supplied, so implementation must be based on local SaaS telemetry and normal automation baselines.
Likely telemetry
- SaaS audit logs for workflow or logic-app creation, modification, trigger execution, and run history
- File upload, file access, file sharing, and file download events from SaaS repositories
- Email rule creation or modification events, especially forwarding-related rules
- Data forwarding, sharing, connector, or external destination activity associated with automated workflows
- User, application, service account, and OAuth/app consent activity tied to SaaS automation
Detection direction
- Correlate workflow triggers from file uploads or email rules with subsequent forwarding, sharing, or unusual access events rather than alerting on automation alone.
- Build baselines for approved business workflows to reduce false positives from legitimate low-code automation and scheduled business processes.
- Validate joins across SaaS services; a common blind spot is seeing file activity, email rules, or automation runs separately without a shared investigation timeline.
- Pay attention to service accounts, delegated permissions, and application identities, since SaaS automation may not appear as ordinary interactive user behavior.
- Because no official detection logic is provided, test detections against local benign workflows and known policy violations before treating matches as high confidence.
Mitigation priorities
- Inventory approved SaaS automation platforms, workflow owners, connectors, and business purposes.
- Restrict who can create or modify workflows, email rules, forwarding rules, and external connectors based on business need.
- Require logging and retention for SaaS automation, file activity, email-rule activity, forwarding, and access events used by this analytic.
- Review high-risk automation paths that can move data externally or trigger from sensitive repositories or mailboxes.
- Include SaaS workflow evidence in incident response playbooks and compliance evidence collection for data movement investigations.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and has no relationship context, tactics, aliases, or official detection text. The strongest use is as a coverage validation prompt for SaaS automation monitoring and correlation, especially around Power Automate or similar logic apps.
This take is limited to the official STIX fields and external reference provided. It does not establish adversary use, impact, attribution, or guaranteed detection. Local SaaS platform capabilities, license tiers, log retention, identity model, and approved automation inventory will determine practical coverage.
Analytic 0028
Correlates Power Automate or similar logic app workflows triggered by SaaS file uploads or email rules with data forwarding or anomalous access patterns.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 179305647488… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0028Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.