AN0193: Analytic 0193
Phishing delivered via SaaS services (chat, collaboration platforms) where messages contain malicious URLs or attachments. Detect anomalous link clicks, suspicious file uploads, or token misuse after SaaS-based phishing attempts.
Analyst context for executives and security teams
This analytic matters because phishing is not limited to email. In SaaS chat and collaboration platforms, a malicious link or attachment can lead directly to credential or token misuse inside business-critical applications. For leaders, the decision point is whether security visibility and response processes cover the collaboration tools employees actually use, not just the mail gateway.
Executive priority
Prioritize this as a SaaS and identity readiness issue: confirm that collaboration-platform activity, link-click behavior, file uploads, and post-phishing token activity can be reviewed quickly during an incident. The business risk is delayed recognition of compromised SaaS access, which can affect continuity, data exposure investigations, compliance evidence, and incident decision-making.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for SaaS-delivered phishing in chat or collaboration services. Since ATT&CK provides no formal detection logic and no relationships for this analytic, focus on the evidence classes named in the object: anomalous link clicks, suspicious file uploads, and token misuse following suspected SaaS phishing messages. Testing should confirm that alerts can correlate message context, user action, file or URL indicators, and subsequent authentication or token behavior within SaaS platforms.
Likely telemetry
- SaaS chat and collaboration message metadata
- URL or link-click telemetry from SaaS services
- SaaS file upload and attachment activity
- User authentication and session events
- Token issuance, refresh, reuse, or anomalous token activity where available
Detection direction
- Validate that monitoring includes SaaS chat and collaboration platforms, not only email phishing controls.
- Tune for sequences: suspicious message or file activity followed by link clicks, file access, unusual authentication, or token misuse.
- Review false positives from normal collaboration behavior, bulk file sharing, automated integrations, and legitimate external collaboration.
- Identify blind spots where SaaS audit logging, URL click data, file events, or token telemetry are unavailable, delayed, or not retained.
- Because no ATT&CK detection logic is supplied, require local baselining and incident-derived examples before treating this as reliable coverage.
Mitigation priorities
- Ensure SaaS audit logging is enabled and retained for collaboration activity, file events, authentication, and token-related events where supported.
- Integrate SaaS telemetry into managed detection, SOC triage, and incident response workflows.
- Prioritize identity controls and response playbooks for suspected SaaS phishing, including user/session review and token-related investigation steps.
- Review collaboration-platform governance for external sharing, file uploads, and risky app or integration behavior where applicable.
- Use tabletop or purple-team validation to confirm responders can investigate a SaaS-delivered phishing report end to end.
Analyst notes and limits
ATT&CK identifies this as detection analytic AN0193 for SaaS phishing delivered through chat and collaboration platforms. The object is platform-scoped to SaaS and emphasizes malicious URLs or attachments, anomalous link clicks, suspicious file uploads, and token misuse after SaaS-based phishing attempts. No tactic, relationship context, or official detection logic was supplied, so the take is framed around validation and telemetry readiness rather than a specific rule.
This summary is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, actor attribution, specific SaaS vendors, guaranteed detection, or impact. Local SaaS platform capabilities, log licensing, retention, identity architecture, and business workflows are required to determine actual coverage.
Analytic 0193
Phishing delivered via SaaS services (chat, collaboration platforms) where messages contain malicious URLs or attachments. Detect anomalous link clicks, suspicious file uploads, or token misuse after SaaS-based phishing attempts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 18cec86d840c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0193Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.