Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0487: Analytic 0487

Forged cookies in SaaS environments manifest as valid web sessions without matching login activity, MFA enforcement bypass, or cookies reused across multiple devices/IPs. Defenders should look for cookie replay, concurrent sessions from multiple geographies, or session tokens generated by unrecognized apps.

EnterpriseAN0487AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because forged SaaS cookies can make unauthorized access look like a normal, already-authenticated web session. For leaders, the key issue is whether the organization can prove that SaaS sessions are tied back to legitimate login and MFA events, expected devices, and expected network locations. If that linkage is weak, incident responders may struggle to distinguish a valid user session from a replayed or forged one.

Executive priority

Prioritize this as an identity and cloud/SaaS monitoring readiness issue. The business risk is not just account compromise; it is loss of confidence in session integrity, MFA enforcement evidence, and auditability of SaaS access. Executives should ask whether critical SaaS platforms retain enough login, session, device, app, IP, and geography evidence to investigate suspicious sessions and support compliance or incident decisions.

Technical view

For SaaS environments, validate detections that compare active or historical web sessions against corresponding login activity, MFA enforcement records, device/IP context, geography, and application metadata. The ATT&CK description highlights suspicious patterns such as valid sessions without matching login activity, apparent MFA bypass, cookie reuse across multiple devices or IPs, concurrent sessions from multiple geographies, and session tokens generated by unrecognized apps. Because no official detection logic is provided, teams should treat this as a detection engineering requirement rather than a ready-to-run rule.

Likely telemetry

  • SaaS login and authentication logs
  • MFA challenge, success, failure, and enforcement records
  • Session creation, refresh, and token/cookie usage records where available
  • Device identifiers, user-agent strings, and client metadata
  • Source IP address, ASN, and geolocation context

Detection direction

  • Correlate valid SaaS sessions with preceding login and MFA events for the same user, device, app, and approximate time window.
  • Alert or investigate sessions that have no matching authentication event, especially for privileged users or sensitive SaaS applications.
  • Look for the same session cookie or token context appearing across multiple devices, IPs, or geographies when the SaaS platform exposes that evidence.
  • Tune for legitimate travel, VPN/proxy use, mobile networks, browser changes, and sanctioned automation to reduce false positives.
  • Review sessions or tokens associated with unrecognized apps, unexpected client IDs, or unusual application metadata.

Mitigation priorities

  • Ensure critical SaaS applications produce and retain authentication, MFA, session, device, IP, and app/client telemetry needed for investigation.
  • Strengthen identity controls around session management, including conditional access policies and reauthentication requirements where supported by the SaaS platform.
  • Review authorized applications and integrations so unrecognized apps generating sessions are easier to identify.
  • Define incident response procedures for suspected session compromise, including session revocation, credential reset, MFA review, and user/device validation.
  • Use privileged and high-risk SaaS accounts as the first priority for monitoring coverage and control validation.
Analyst notes and limits

This object is a detection analytic for SaaS forged-cookie behavior. The supplied ATT&CK fields provide a useful behavioral description but no formal detection logic, no mapped tactics, and no relationship context. Glexia’s practical interpretation is therefore focused on validating telemetry and correlation coverage rather than asserting a specific rule or threat actor behavior.

Assessment is limited to the official STIX fields, external reference, and absence of relationships supplied for AN0487. Local SaaS platform capabilities determine whether cookie, token, session, device, app, and MFA evidence is available. No claim is made about active exploitation, attribution, or guaranteed detection.

Official MITRE ATT&CK definition

Analytic 0487

Forged cookies in SaaS environments manifest as valid web sessions without matching login activity, MFA enforcement bypass, or cookies reused across multiple devices/IPs. Defenders should look for cookie replay, concurrent sessions from multiple geographies, or session tokens generated by unrecognized apps.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cb814f000106c5e5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cb814f000106…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0487
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use