AN0534: Analytic 0534
Suspicious sign-ins to Graph API or sensitive resources using non-browser scripting agents (e.g., Python, PowerShell), often for programmatic access to mailbox or OneDrive content.
Analyst context for executives and security teams
This analytic matters because scripted, non-browser sign-ins to Microsoft Graph API or other sensitive SaaS resources can represent automated access to business data such as mailbox or OneDrive content. For leaders, the decision point is whether the organization can distinguish approved automation from suspicious programmatic access before data exposure or incident response uncertainty grows.
Executive priority
Prioritize this as a SaaS identity and data-access visibility question. Executives and security leaders should ask whether sanctioned scripts, service accounts, and automation are inventoried; whether Graph API and sensitive-resource sign-ins are logged; and whether SOC teams can rapidly validate unusual Python or PowerShell user agents accessing mailbox or OneDrive-related resources. This supports incident decision-making, audit evidence for SaaS access monitoring, and control prioritization around identity governance and cloud/SaaS logging.
Technical view
For SOC, detection engineering, and IR teams, validate telemetry for SaaS sign-in activity where the resource is Graph API or another sensitive SaaS resource and the client/user agent indicates non-browser scripting such as Python or PowerShell. Because no ATT&CK tactic, detection logic, or relationships are supplied, teams should treat this as a detection-validation prompt: baseline known automation, identify accounts expected to use scripted access, and investigate deviations involving sensitive resource access, unusual users, or unexpected client agents.
Likely telemetry
- SaaS identity provider sign-in logs
- Application/resource sign-in events for Graph API or sensitive SaaS resources
- User agent or client application fields showing Python, PowerShell, or other non-browser agents
- Account identity, service principal, and session context tied to scripted access
- Mailbox, OneDrive, or sensitive resource access audit records where available
Detection direction
- Confirm that sign-in logs include resource/application target and user agent or client application details; without these fields this analytic will have major blind spots.
- Baseline approved automation and service accounts to reduce false positives from legitimate scripts and administrative workflows.
- Prioritize review of scripted sign-ins by human user accounts, newly observed accounts, unusual locations, or accounts without an approved automation use case, using only locally available context.
- Correlate suspicious scripted sign-ins with subsequent mailbox, OneDrive, or sensitive-resource audit activity where available.
- Document gaps caused by missing SaaS audit licensing, short retention, normalized logs that drop user-agent details, or unclear ownership of automation accounts.
Mitigation priorities
- Inventory and approve legitimate SaaS automation that uses Graph API or sensitive resources.
- Ensure identity and SaaS audit logging captures sign-in target, client/user agent, account, and resource access context with sufficient retention for investigations.
- Apply least-privilege access and governance to accounts or applications used for programmatic SaaS access.
- Review conditional access, service account controls, and monitoring requirements for scripted access patterns based on business need.
- Create IR runbooks for triaging unexpected scripted access to mailbox, OneDrive, or other sensitive SaaS resources.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for SaaS environments focused on suspicious non-browser scripting agents accessing Graph API or sensitive resources. The strongest practical use is as a control and telemetry validation item for identity, SaaS security, SOC monitoring, and incident response readiness.
Official detection content, tactics, related techniques, mitigations, and relationship context were not supplied. Conclusions are limited to the official description, platform, and external reference. Local baselines are required to distinguish approved automation from suspicious activity.
Analytic 0534
Suspicious sign-ins to Graph API or sensitive resources using non-browser scripting agents (e.g., Python, PowerShell), often for programmatic access to mailbox or OneDrive content.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dedc178417f9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0534Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.