AN0203: Analytic 0203
Web session tokens reused in native Office apps (e.g., Outlook, Teams) without associated token refresh or login behavior on the endpoint.
Analyst context for executives and security teams
This analytic points to a practical identity-risk signal: a web session token being used inside native Office applications such as Outlook or Teams without the endpoint showing the expected login or token-refresh activity. For leaders, the value is not that this proves compromise by itself, but that it highlights a gap between cloud/session activity and endpoint evidence that can matter during account takeover investigations and business email or collaboration-service incidents.
Executive priority
Prioritize this as an identity and cloud/SaaS visibility question: can the organization correlate Office application activity with endpoint login and token-refresh behavior well enough to explain suspicious sessions during an incident or audit? If not, response teams may struggle to determine whether access was legitimate, whether a session token was reused, and what containment actions are justified.
Technical view
SOC and IR teams should validate whether Office Suite session activity can be correlated with endpoint telemetry that shows associated login or token refresh behavior. Because no official detection logic is supplied, this should be treated as a detection-engineering hypothesis from DET0074/AN0203 rather than a ready-to-deploy rule. Focus on mismatches where native Office app activity occurs but the endpoint lacks expected authentication-adjacent events in the same investigative window.
Likely telemetry
- Office Suite application/session activity for native apps such as Outlook and Teams
- Identity or authentication logs showing logins and token refresh behavior
- Endpoint telemetry from the device expected to be using the native Office application
- Time-correlated user, device, and application identifiers sufficient to join cloud/session activity to endpoint evidence
Detection direction
- Validate that cloud/Office session logs and endpoint authentication-related telemetry can be joined by user, device, application, and time.
- Tune carefully for legitimate gaps such as logging delays, device changes, offline behavior, incomplete endpoint coverage, or normal session persistence.
- Use this signal as an investigation trigger, not a standalone compromise verdict, because the official object provides no detection logic or false-positive guidance.
- Assess blind spots where unmanaged devices, missing endpoint agents, or incomplete Office Suite logging would prevent confirming whether login or token-refresh behavior occurred.
Mitigation priorities
- Improve identity and Office Suite logging retention and correlation before relying on this analytic operationally.
- Ensure incident response playbooks include steps to review session validity, recent logins, token-refresh evidence, and endpoint context for the affected user.
- Prioritize coverage for high-risk users and business-critical mail or collaboration accounts where token/session uncertainty would create material response risk.
- Use findings to inform identity access reviews and cloud security control validation, without assuming this analytic alone proves malicious activity.
Analyst notes and limits
The object is a MITRE detection analytic, AN0203, for the Office Suite platform. It describes web session tokens reused in native Office apps without associated token refresh or login behavior on the endpoint. No tactics, relationships, or official detection procedure were supplied, so the take emphasizes validation, correlation, and investigation value rather than a prescriptive rule.
No relationship context, ATT&CK tactics, mitigations, data components, or official detection text were provided. Local telemetry quality, Office Suite logging configuration, endpoint coverage, and identity log retention will determine whether this analytic is feasible or reliable in a given environment.
Analytic 0203
Web session tokens reused in native Office apps (e.g., Outlook, Teams) without associated token refresh or login behavior on the endpoint.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 664b0e525dc7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0203Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.