AN0810: Analytic 0810

Detects login to admin consoles (e.g., Microsoft 365 Admin Center) from unrecognized users, devices, or geolocations followed by non-API data review or configuration read actions that suggest GUI dashboard use.

EnterpriseAN0810AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because administrative console access in an office suite can expose high-value tenant settings, user data, and security configuration. The behavior described is not just a login event: it is an admin-console session from an unfamiliar user, device, or location followed by read/review activity that looks like interactive GUI dashboard use. For leaders, this is a signal to verify whether identity, admin access, and office-suite audit logging are strong enough to distinguish legitimate administration from suspicious reconnaissance.

Executive priority

Prioritize this as an identity and cloud/SaaS administration visibility issue. If an organization cannot reliably answer who accessed an admin console, from what device and location, and what configuration or data was reviewed afterward, incident responders may struggle to scope tenant exposure and auditors may lack evidence for privileged-access oversight. The key business question is whether privileged console activity is monitored with enough context to support rapid investigation and defensible access governance decisions.

Technical view

For SOC and detection teams, validate coverage for Office Suite admin-console logins, especially Microsoft 365 Admin Center-like activity, where the login originates from unrecognized users, devices, or geolocations and is followed by non-API data review or configuration read actions. Because no official detection logic is supplied, teams should treat this as a detection objective: correlate identity sign-in telemetry with admin-console audit events and distinguish GUI/dashboard browsing from API-driven activity where the available logs allow it. Tuning should account for legitimate admin travel, new devices, emergency administration, managed service provider access, and newly onboarded administrators.

Likely telemetry

Office Suite administrative console sign-in logs
Identity provider authentication events
User, device, and geolocation context for administrative logins
Administrative audit logs showing configuration read or data review actions
Session context indicating GUI/admin-center activity versus API activity where available

Detection direction

Confirm that admin-console logins are collected for the relevant Office Suite environment and retained long enough for investigation.
Build correlation between unfamiliar login context and subsequent configuration read or data review actions, rather than alerting on login alone.
Baseline expected administrator users, devices, locations, and access patterns to reduce false positives.
Review exceptions for travel, new hardware, break-glass accounts, and third-party administration so suspicious novelty is not hidden by broad allow lists.
Validate whether logs can separate GUI/dashboard use from API activity; if not, document the blind spot and adjust investigation playbooks accordingly.

Mitigation priorities

Enforce strong privileged access governance for Office Suite admin roles, including least privilege and regular review of who can access admin consoles.
Require strong authentication and device/session controls for administrative access where supported by the environment.
Define known-good administrator baselines for users, devices, locations, and service-provider access.
Ensure audit logging is enabled for administrative sign-ins and configuration/data review actions, with retention aligned to incident response and compliance needs.
Create an investigation workflow for unfamiliar admin-console access that includes identity validation, device review, session activity review, and configuration-change assessment.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Office Suite platforms and specifically describes admin-console login followed by GUI-like review/read activity. No official detection logic, tactics, labels, aliases, or relationship context were provided, so this take frames practical validation and control priorities without asserting a specific ATT&CK technique linkage or guaranteed detection method.

This assessment is limited to the supplied STIX fields and external reference for AN0810. Local log schemas, tenant licensing, identity architecture, retention settings, and admin operating models will determine whether the described behavior can be detected reliably.

Official MITRE ATT&CK definition

Analytic 0810

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 13b342b36e3c7eb6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`13b342b36e3c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0810
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use