Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0902: Analytic 0902

Adversaries leverage M365 or Google Workspace APIs to create users, service accounts, or guest accounts. Follow-on behaviors include login activity, role escalation, or service principal token generation.

EnterpriseAN0902AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because unauthorized or unexpected account creation in Microsoft 365 or Google Workspace can become the starting point for persistent access, privilege growth, and follow-on cloud activity. For leaders, the key issue is whether the organization can prove who or what created new users, service accounts, or guest accounts, and whether subsequent logins, role changes, or token activity are reviewed quickly enough to support incident decisions.

Executive priority

Treat this as an identity and SaaS control validation priority. Account creation through office-suite APIs can affect business continuity, audit readiness, and incident response because new accounts may look legitimate unless ownership, approval, and monitoring are clear. Executives should ask whether account lifecycle controls cover API-driven creation, guest access, service accounts, role escalation, and service principal token generation in M365 and Google Workspace environments.

Technical view

SOC, detection engineering, IAM, and IR teams should validate visibility into API-based creation of users, service accounts, and guest accounts in Office Suite platforms, specifically M365 and Google Workspace as named in the official description. Because ATT&CK provides no detection logic and no tactic mapping for this analytic, teams should build local detections around account creation events and correlate them with follow-on login activity, role escalation, and service principal token generation. Baselines should distinguish approved provisioning workflows from direct administrative or automated API activity.

Likely telemetry

  • M365 audit logs for user, guest, application, service principal, and role-related activity
  • Google Workspace administrative and audit logs for user and service account creation
  • API activity logs showing actor, source, target account, timestamp, and operation type
  • Identity provider logs for subsequent authentication by newly created accounts
  • Role assignment or privilege escalation events following account creation

Detection direction

  • Confirm that API-driven account creation is logged, retained, and searchable for both human and service identities.
  • Correlate new user, guest, or service account creation with first login, unusual login timing, role changes, and service principal token generation.
  • Tune detections against approved HR, IAM, helpdesk, and automated provisioning workflows to reduce false positives while preserving visibility into direct API or administrative creation paths.
  • Review blind spots where guest accounts, service accounts, or service principals are monitored separately from standard user accounts.
  • Because no official detection logic is supplied, validate detections against local audit logs and documented provisioning processes rather than assuming ATT&CK provides a complete rule.

Mitigation priorities

  • Define and enforce approved account creation paths for users, guest accounts, service accounts, and service principals.
  • Restrict who can create accounts or assign roles in M365 and Google Workspace, including API-capable administrators and automation accounts.
  • Require review and ownership for service accounts, guest accounts, and privileged role assignments.
  • Monitor newly created identities for login activity, privilege changes, and token generation shortly after creation.
  • Maintain audit log retention and incident response procedures sufficient to reconstruct account creation and follow-on identity activity.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied ATT&CK text focuses on M365 and Google Workspace API-based creation of users, service accounts, or guest accounts, with follow-on behaviors including login activity, role escalation, or service principal token generation. No relationships, tactics, or official detection text were supplied, so the practical value is in validating identity telemetry and account lifecycle governance around Office Suite platforms.

The source object provides a short description only. It does not include ATT&CK tactic mappings, related techniques, detection pseudocode, data components, mitigations, procedures, or relationship context. Local environment evidence is required to determine normal provisioning behavior, available telemetry, alert thresholds, and response playbooks.

Official MITRE ATT&CK definition

Analytic 0902

Adversaries leverage M365 or Google Workspace APIs to create users, service accounts, or guest accounts. Follow-on behaviors include login activity, role escalation, or service principal token generation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5686ac4e3942837f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5686ac4e3942…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0902
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use