Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1269: Analytic 1269

Use of leaked credential pairs against Outlook Web Access (OWA), Microsoft 365, or Exchange from a single client IP with multiple failures

EnterpriseAN1269AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on repeated failed attempts to use leaked username/password pairs against business email access points such as Outlook Web Access, Microsoft 365, or Exchange from a single client IP. For leaders, the decision value is whether the organization can quickly see, investigate, and contain credential-based access attempts against email, which is often a critical business communications and identity-adjacent service.

Executive priority

Treat this as an email and identity access resilience question: can security teams prove they collect enough authentication evidence from Office Suite services to identify repeated failed login activity from one source, and can they turn that evidence into timely response? Priority should be given to confirming logging, alert routing, account lockout or conditional access policy evidence where applicable, and incident response procedures for suspected leaked credentials. Because the supplied object has no tactic mapping or relationship context, use it as a control validation item rather than as evidence of a specific campaign or actor behavior.

Technical view

SOC and detection teams should validate whether they can detect multiple failed authentication attempts against OWA, Microsoft 365, or Exchange where the attempts originate from a single client IP and appear to use credential pairs that may be leaked. The supplied ATT&CK object does not provide official detection logic, thresholds, tactics, or relationships, so local implementation must define what constitutes 'multiple failures,' which services are in scope, how client IP is normalized, and how to distinguish user error, password spray-like activity, application misconfiguration, and automated login attempts.

Likely telemetry

  • OWA authentication logs showing failed sign-in attempts
  • Microsoft 365 sign-in or audit logs for failed authentication events
  • Exchange authentication or access logs where available
  • Client source IP address associated with each failed attempt
  • Target account identifiers such as username or user principal name

Detection direction

  • Confirm that OWA, Microsoft 365, and Exchange authentication failures are centrally collected and searchable.
  • Define local thresholds for repeated failures from a single client IP, with tuning for normal business behavior, shared egress points, VPNs, proxies, and mobile networks.
  • Correlate failed attempts across target accounts and services to avoid missing activity split between OWA, Microsoft 365, and Exchange telemetry.
  • Validate parsing of client IP, account identifier, service name, timestamp, and result code; detection quality will depend on these fields being consistent.
  • Review false positives from mistyped passwords, expired credentials, legacy clients, service accounts, and misconfigured applications.

Mitigation priorities

  • Prioritize complete authentication logging and retention for Office Suite access paths named in the object.
  • Ensure alerts for repeated failed sign-ins from a single source are triaged with account context, IP reputation or ownership context where available, and recent user activity.
  • Review identity controls relevant to leaked credentials, such as MFA enforcement, conditional access, account lockout behavior, and password reset workflows, based on the organization's approved control set.
  • Prepare IR playbooks for suspected credential exposure, including account verification, session review where available, credential reset, and user notification procedures.
  • Use detection outcomes as compliance and audit evidence that email and cloud authentication monitoring is operating, but avoid claiming full coverage unless tested against local logs.
Analyst notes and limits

The object is a MITRE ATT&CK detection analytic, AN1269, for Office Suite platforms. Its description is specific to use of leaked credential pairs against OWA, Microsoft 365, or Exchange from one client IP with multiple failures. No official detection text, tactics, relationships, aliases, or labels were supplied, so the take emphasizes defensive validation and control assurance rather than actor, campaign, or technique conclusions.

This summary is limited to the supplied STIX fields and external reference. It does not establish active exploitation, attribution, impact, or guaranteed detection. Local log availability, authentication architecture, identity controls, and threshold tuning are required to determine practical coverage.

Official MITRE ATT&CK definition

Analytic 1269

Use of leaked credential pairs against Outlook Web Access (OWA), Microsoft 365, or Exchange from a single client IP with multiple failures

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e0de6b4e0243d637...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e0de6b4e0243…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1269
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use