AN1266: Analytic 1266
Multiple sign-in failures against cloud-based applications using username/password combinations leaked from unrelated domains
Analyst context for executives and security teams
This analytic matters because repeated failed sign-ins to SaaS applications using credentials leaked elsewhere can be an early warning that attackers are testing reused passwords against business-critical cloud services. For leaders, the value is not just catching failed logins; it is validating whether identity telemetry, SaaS access controls, and response processes can distinguish normal user mistakes from large-scale credential abuse before an account is successfully accessed.
Executive priority
Prioritize this as an identity and cloud security readiness question: do we have reliable visibility into failed SaaS sign-ins, enough context to recognize leaked-credential testing, and a response path for protecting accounts before business systems are disrupted? This supports control prioritization around MFA, password reuse reduction, account lockout or throttling policy, identity monitoring, and audit evidence that cloud authentication risk is being monitored.
Technical view
The supplied ATT&CK object is a detection analytic for SaaS platforms. It describes multiple sign-in failures against cloud-based applications using username/password combinations leaked from unrelated domains. SOC and detection teams should validate whether SaaS and identity-provider logs capture failed authentication attempts with user, source, application, timestamp, and failure reason context. Because no tactic, relationship, or official detection logic is provided, teams should treat this as a detection objective rather than a ready rule: identify clusters of failed SaaS logins that suggest credential reuse testing while accounting for normal password mistakes, misconfigured clients, and legitimate user travel or network changes.
Likely telemetry
- SaaS application authentication logs
- Identity provider sign-in logs
- Failed login event counts by user, application, source, and time window
- Authentication failure reason codes where available
- Source IP, ASN, geolocation, or network context associated with failed sign-ins
Detection direction
- Confirm that failed SaaS sign-ins are centrally collected and retained with enough fields to group activity by account, application, and source.
- Tune analytics for repeated failed sign-ins against cloud applications, especially where the same account or many accounts show failures from unusual or repeated sources.
- Correlate failed sign-in bursts with later successful sign-ins, MFA prompts, account lockouts, or helpdesk password reset activity.
- Account for false positives such as users mistyping passwords, expired saved credentials, mobile mail clients, automated integrations, or application misconfiguration.
- Identify blind spots where SaaS applications authenticate outside the primary identity provider or do not forward detailed failure reasons to the SOC.
Mitigation priorities
- Ensure business-critical SaaS applications are integrated with centralized identity logging and monitoring.
- Prioritize MFA and conditional access controls for SaaS access where policy and platform support them.
- Review password reuse reduction measures, password reset workflows, and user notification processes for suspected leaked-credential testing.
- Validate account lockout, throttling, or risk-based access policies to reduce high-volume failed sign-in attempts without creating avoidable business disruption.
- Prepare incident response playbooks for suspected SaaS credential abuse, including account review, session review, password reset decisions, and evidence preservation.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic fields. The object is a SaaS-focused detection analytic with a short description and no supplied tactic mapping, relationships, aliases, labels, or official detection logic. The most defensible interpretation is an identity-monitoring use case for repeated failed SaaS sign-ins associated with credentials leaked from unrelated domains.
No official detection query, thresholds, data source mappings, tactics, mitigations, or relationship context were supplied. Local environment baselines, identity architecture, SaaS logging coverage, and response procedures are required to turn this analytic into an operational detection.
Analytic 1266
Multiple sign-in failures against cloud-based applications using username/password combinations leaked from unrelated domains
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 23860a72a28b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1266Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.