AN0440: Analytic 0440

Suspicious SaaS tenant activity involving webhook configurations pointing to external or untrusted domains. Defender perspective: repeated automated exports or suspicious webhook endpoint registrations.

EnterpriseAN0440AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because SaaS webhook settings can create data movement paths out of a tenant. A webhook pointed at an external or untrusted domain may be legitimate integration work, but it can also represent a risky or unauthorized configuration that deserves review, especially when paired with repeated automated exports.

Executive priority

Security leaders should treat this as a SaaS governance and incident-readiness question: who is allowed to create webhooks, how are destination domains approved, and can the organization produce audit evidence showing when webhook endpoints or automated exports changed? The business risk is not proven by the analytic alone, but weak visibility here can delay decisions during a SaaS incident or compliance review.

Technical view

For SOC, cloud security, and IR teams, validate whether SaaS audit logs capture webhook configuration creation, modification, endpoint URL/domain, actor identity, timestamps, tenant context, and export activity. Detection logic should focus on webhook endpoints registered to external or untrusted domains and repeated automated exports, with review against known business integrations to reduce false positives.

Likely telemetry

SaaS tenant audit logs for webhook creation, modification, and deletion
Webhook endpoint URL or destination domain metadata
Actor identity, role, source IP, and timestamp associated with configuration changes
SaaS export events, especially repeated or automated exports
Approved integration inventory or allowlist of trusted domains

Detection direction

Build or validate detections for webhook registrations pointing to domains not in an approved or trusted integration list.
Correlate suspicious webhook endpoint changes with repeated automated export activity when available.
Tune for legitimate SaaS integrations, vendor connectors, and business automation to avoid excessive false positives.
Check whether logging retains enough detail to distinguish endpoint domain, actor, and tenant-level configuration changes.
Prioritize review of changes made by unexpected users, privileged accounts, or service accounts where local policy defines those as unusual.

Mitigation priorities

Maintain an approved inventory of SaaS integrations and trusted webhook destination domains.
Restrict webhook configuration permissions to appropriate administrative or integration-management roles.
Require change control or documented approval for new external webhook endpoints where operationally feasible.
Review SaaS audit logging and retention to support investigation and compliance evidence.
Periodically audit webhook configurations and automated export jobs against business ownership and necessity.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for SaaS tenant activity involving external or untrusted webhook destinations and repeated automated exports. No related techniques, tactics, mitigations, groups, software, or campaigns were supplied, so this take focuses on defensive validation rather than attribution or threat-specific claims.

Official detection text was not provided, and no relationship context was supplied. Local SaaS platform capabilities, tenant configuration, trusted-domain policy, and integration inventory are required to turn this analytic into reliable detection logic.

Official MITRE ATT&CK definition

Analytic 0440

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 80fd655927f52e68...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`80fd655927f5…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0440
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use