AN0192: Analytic 0192
Phishing attempts targeting IdPs often manifest as anomalous login attempts from suspicious email invitations or fake SSO prompts. Detection correlates login flows, MFA bypass attempts, and anomalous geographic patterns following phishing email delivery.
Analyst context for executives and security teams
This analytic matters because phishing against an identity provider can turn a single deceptive email or fake SSO prompt into broader account access risk. The ATT&CK object focuses on correlating phishing delivery signals with suspicious IdP login behavior, MFA bypass attempts, and unusual geography. For leaders, the value is not just finding phishing emails; it is proving whether identity telemetry can connect the email event to the attempted or successful authentication flow quickly enough to support containment decisions.
Executive priority
Prioritize this as an identity and business-continuity control validation item. If the organization relies on SSO, IdP compromise can affect many downstream applications, so executives should ask whether security teams can trace a suspected phishing invitation or fake SSO prompt into IdP login activity, MFA anomalies, and geographic deviations. This also supports audit and incident-readiness evidence by showing whether identity, email, and SOC workflows are correlated rather than reviewed in isolation.
Technical view
For SOC, detection engineering, and IR teams, validate whether IdP authentication logs can be correlated with email security events related to suspicious invitations or phishing lures. The supplied analytic specifically points to login flows, MFA bypass attempts, and anomalous geographic patterns after phishing email delivery. Because no official detection logic is provided and no ATT&CK tactics are specified, teams should treat this as a detection design objective rather than a ready rule: define local baselines for normal IdP access, expected MFA behavior, and user travel patterns, then test whether phishing reports or email detections can trigger focused review of subsequent identity activity.
Likely telemetry
- Identity provider authentication logs
- SSO login flow events
- MFA challenge, failure, bypass, or anomaly events
- Email security alerts or message metadata for suspicious invitations and phishing delivery
- User, source IP, device, and geographic login context
Detection direction
- Validate correlation between phishing email delivery or suspicious invitation events and subsequent IdP authentication attempts.
- Tune for anomalous geography relative to the user’s normal access patterns, while accounting for legitimate travel, VPNs, and remote work.
- Review MFA-related anomalies, including unusual challenge patterns or bypass indicators where the IdP records them.
- Confirm that email and identity telemetry share usable user identifiers and timestamps for investigation timelines.
- Avoid treating this as a standalone email detection; the analytic’s value comes from linking phishing context to IdP login behavior.
Mitigation priorities
- Ensure IdP authentication, MFA, and email security logs are collected, normalized, and retained for incident investigation.
- Strengthen correlation workflows between email phishing detections and identity monitoring queues.
- Review MFA policy coverage and exception handling, especially where bypass or degraded authentication could occur.
- Establish response playbooks for suspected IdP phishing, including account review, session assessment, and user verification steps.
- Use tabletop or detection validation exercises to confirm analysts can move from a phishing email indicator to the relevant IdP login timeline.
Analyst notes and limits
This object is an ATT&CK detection analytic for the Identity Provider platform. It provides a behavioral description but no official detection query, no tactics, and no relationship context. The strongest use is as a validation prompt for identity-centric phishing detection and IR readiness.
The supplied ATT&CK fields do not identify specific products, adversaries, procedures, tactics, or confirmed exploitation. Local IdP configuration, MFA logging detail, email telemetry quality, geolocation reliability, and retention windows will determine practical coverage.
Analytic 0192
Phishing attempts targeting IdPs often manifest as anomalous login attempts from suspicious email invitations or fake SSO prompts. Detection correlates login flows, MFA bypass attempts, and anomalous geographic patterns following phishing email delivery.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ad9958644ac3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0192Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.