AN0201: Analytic 0201
Anomalous access to cloud web applications using session tokens without corresponding MFA/credential validation, often from unusual locations or device fingerprints.
Analyst context for executives and security teams
This analytic matters because valid cloud session tokens can allow access to cloud web applications without a fresh password or MFA prompt. For leaders, the practical question is whether the organization can distinguish normal session reuse from suspicious token-based access tied to unusual locations or device fingerprints. If that visibility is weak, cloud account activity may look legitimate even when authentication assurance is missing.
Executive priority
Prioritize this as a cloud security and identity monitoring validation item. It supports decisions about MFA assurance, session management, SOC visibility, and incident response readiness for IaaS-connected web application access. Executives should ask whether teams can prove when cloud application sessions were created, whether MFA or credential validation occurred, and whether later access came from expected locations and devices.
Technical view
The supplied ATT&CK object describes anomalous access to cloud web applications using session tokens without corresponding MFA or credential validation, especially from unusual locations or device fingerprints. SOC and detection teams should validate whether cloud identity, application access, session, device, and location data can be correlated to identify access events that rely on existing session tokens rather than new authentication events. Because MITRE provides no official detection logic and no relationship context for this analytic, local baselining and environment-specific tuning are required.
Likely telemetry
- Cloud web application access logs
- Cloud identity provider authentication logs
- Session creation, refresh, and token-use events where available
- MFA challenge and MFA success/failure records
- Credential validation or sign-in records
Detection direction
- Correlate cloud application access with recent MFA and credential validation events for the same user, device, and session context.
- Flag access using session tokens when there is no corresponding recent authentication assurance event, especially from unusual geography, IP space, user agent, or device fingerprint.
- Tune carefully for legitimate travel, VPN/proxy use, mobile networks, shared devices, and expected long-lived sessions to reduce false positives.
- Validate whether logs preserve session identifiers or equivalent correlation fields; without them, coverage may depend on weaker joins such as user, time, IP, and device metadata.
- Review alert priority based on account privilege, sensitive application access, and deviation from normal user behavior.
Mitigation priorities
- Confirm MFA is enforced for cloud web application access and that policies address session reuse, not only initial sign-in.
- Review session lifetime, reauthentication, and token revocation policies for IaaS-connected applications.
- Ensure identity and cloud application logs are retained and accessible to SOC and incident response teams.
- Establish response procedures for suspicious session-token activity, including session revocation and account review.
- Use periodic control testing to prove that authentication, MFA, device, and access telemetry can be correlated during investigations.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique. The most useful defensive value is as a coverage test for cloud identity telemetry and session assurance. It is especially relevant to managed detection, cloud security, identity and access management, and incident response programs that need evidence of how cloud sessions are authenticated and reused.
MITRE did not provide official detection logic, tactics, relationships, or linked techniques in the supplied fields. The only supported platform is IaaS. Any assessment of exposure, active exploitation, specific attacker behavior, or guaranteed detection requires local cloud identity and application telemetry not included in the object.
Analytic 0201
Anomalous access to cloud web applications using session tokens without corresponding MFA/credential validation, often from unusual locations or device fingerprints.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bc6bc3f0b827… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0201Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.