Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0642: Analytic 0642

Suspicious querying of organization-wide directory data via Google Workspace Directory API or Outlook GAL sync in high volume from abnormal users, service accounts, or unknown device contexts.

EnterpriseAN0642AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because organization-wide directory data can reveal employees, groups, roles, and communication paths that support later targeting. For executives and security leaders, the practical question is whether the organization can notice unusual large-scale address book or directory access in Office Suite environments, especially when it comes from abnormal users, service accounts, or unfamiliar device contexts.

Executive priority

Prioritize this as an identity and cloud/SaaS visibility control check rather than as a standalone incident conclusion. Leaders should ask whether Google Workspace Directory API activity and Outlook Global Address List synchronization are logged, retained, and reviewable at sufficient detail to support SOC triage, incident response scoping, and audit evidence. The business value is confirming that directory exposure can be detected early enough to support containment decisions and account/service-account governance.

Technical view

Validate monitoring for high-volume organization-wide directory queries in Office Suite environments, specifically activity consistent with Google Workspace Directory API use or Outlook GAL synchronization. Because no official detection logic is provided, SOC teams should define local baselines for normal directory lookup and sync behavior by user, service account, device context, and volume. Investigations should focus on abnormal users, service accounts, and unknown device contexts, while distinguishing expected enterprise sync tools, administrative automation, and approved service integrations from suspicious activity.

Likely telemetry

  • Google Workspace Directory API audit or admin activity logs where available
  • Outlook or Microsoft 365 Global Address List synchronization and client access logs where available
  • Identity provider sign-in logs for user, service account, device, IP, and session context
  • SaaS audit logs showing API access, application context, and request volume
  • Device or endpoint inventory context to determine whether the querying device is known

Detection direction

  • Baseline normal directory query and GAL sync volumes by account type, user role, service account, and device context.
  • Alert on high-volume organization-wide directory access from users or service accounts that do not normally perform this activity.
  • Treat unknown or unmanaged device context as a risk amplifier, but validate against legitimate new-device enrollment, approved automation, and administrative workflows.
  • Use identity and SaaS audit context together; directory-query volume without account and device context may create weak or noisy alerts.
  • Document expected service accounts and integrations so detection tuning does not suppress unowned or poorly governed accounts.

Mitigation priorities

  • Ensure Office Suite directory and API audit logging is enabled, retained, and accessible to SOC and incident response teams.
  • Maintain ownership, purpose, and least-privilege review for service accounts that can query directory data.
  • Require strong identity controls and device-context visibility for accounts with broad directory access.
  • Define approved administrative and synchronization workflows so abnormal high-volume access can be separated from normal operations.
  • Include directory-data access review in cloud/SaaS security assessments and compliance evidence collection.
Analyst notes and limits

This is a detection analytic object, not a technique description. The supplied object identifies suspicious high-volume querying of organization-wide directory data via Google Workspace Directory API or Outlook GAL sync, with emphasis on abnormal users, service accounts, and unknown device contexts. No ATT&CK tactics, relationships, aliases, or official detection logic were supplied, so local baselining and environment-specific log validation are essential.

The source does not provide a detection query, thresholds, related techniques, adversary relationships, or confirmed tactics. This take should not be read as evidence of active exploitation, attribution, or existing detection coverage. Applicability is limited to the supplied platform context: Office Suite.

Official MITRE ATT&CK definition

Analytic 0642

Suspicious querying of organization-wide directory data via Google Workspace Directory API or Outlook GAL sync in high volume from abnormal users, service accounts, or unknown device contexts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e8f40ad0e870f400...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e8f40ad0e870…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0642
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use