AN0959: Analytic 0959

This analytic describes a cloud office risk pattern: an access token is reused to connect to SharePoint or Outlook APIs without an interactive user session. For leaders, the practical concern is whether identity and cloud monitoring can distinguish normal delegated access from token-based access that bypasses the usual signs of a user logging in.

Executive priority

Prioritize validation of identity, Office Suite, SharePoint, and Outlook API visibility. This matters for incident decision-making and audit readiness because investigations may depend on proving which user, app, token, and API activity occurred when there was no interactive user context. The supplied ATT&CK object does not specify tactics, mitigations, or detection logic, so control decisions should be based on local identity architecture and logging maturity.

Technical view

SOC and IR teams should confirm whether logs can show access token use against SharePoint and Outlook APIs, including the associated user, application/client, source, timestamp, API endpoint, and whether an interactive sign-in occurred. Because MITRE provides no official detection text and no relationship context for this analytic, teams should treat AN0959 as a validation prompt rather than a ready-to-deploy rule.

Likely telemetry

Office Suite audit logs for SharePoint and Outlook activity
Identity provider sign-in and token-related logs
API access records showing client/application context
Non-interactive sign-in or service access events, where available
User, application, source address, timestamp, and resource access metadata

Detection direction

Validate that SharePoint and Outlook API access can be correlated with identity sign-in context.
Look for API access where an access token is used without a corresponding interactive user session, while accounting for legitimate non-interactive application workflows.
Tune carefully to avoid false positives from approved automation, mobile clients, integrations, and service principals where applicable to the local environment.
Confirm retention and correlation are sufficient for incident response, since token activity may need to be reconstructed after the fact.
Document blind spots where Office Suite, identity, or API telemetry is unavailable or not centrally collected.

Mitigation priorities

Inventory legitimate non-interactive access patterns to SharePoint and Outlook APIs before alerting broadly.
Strengthen identity and cloud logging coverage for Office Suite API access and sign-in context.
Review access token governance, application permissions, and conditional access assumptions using local platform capabilities.
Ensure incident response playbooks include token/session review and containment decisions for Office Suite accounts and applications.
Use findings as compliance evidence for identity monitoring, cloud audit logging, and investigation readiness.

Analyst notes and limits

AN0959 is a detection analytic object for Office Suite environments. The only supplied behavior is access token reuse to connect to SharePoint or Outlook APIs without interactive user context. No ATT&CK tactics, relationships, aliases, labels, or official detection logic were supplied.

This take is constrained by sparse official fields. It does not assert active exploitation, actor attribution, impact, or guaranteed detection coverage. Local tenant configuration, logging availability, token policies, and approved automation patterns are required to determine material risk and deployable detections.

Official MITRE ATT&CK definition

Analytic 0959

Access token reuse to connect to SharePoint or Outlook APIs without interactive user context.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 43757fa9c9f33a01...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`43757fa9c9f3…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0959
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams