AN1301: Analytic 1301

This analytic matters because shared SaaS folders can become a distribution point for risky files inside the business. The practical value is not just spotting an upload, but correlating an unusual or malicious file type with later user downloads or interactions, which can help leaders understand whether a cloud collaboration issue is isolated or spreading through normal business workflows.

Executive priority

Prioritize this as a cloud security and incident response readiness question: can the organization prove who uploaded risky files to shared SaaS locations, who accessed them, and how quickly responders can contain exposure? It supports business continuity by reducing uncertainty during SaaS file-sharing incidents and supports audit/compliance evidence where file access monitoring and investigation records are required.

Technical view

For SOC and detection teams, validate whether SaaS telemetry can correlate file upload events in cloud-shared folders with subsequent user downloads, opens, previews, or other interactions. Because no ATT&CK tactic or detailed detection logic is supplied, implementation should be scoped conservatively to the stated behavior: unusual or malicious file types uploaded into shared SaaS folders followed by user interaction. Tuning should distinguish normal business file-sharing patterns from rare extensions, policy-disallowed types, or files later accessed by multiple users.

Likely telemetry

SaaS file upload events
Cloud-shared folder metadata and permissions
File type or extension metadata
Malware or content scanning verdicts where available
User download, open, preview, or interaction events

Detection direction

Confirm that SaaS audit logs capture both upload and downstream user interaction events with user, file, folder, and timestamp fields.
Validate correlation logic between a suspicious or unusual file upload and later downloads or interactions by other users.
Tune for environment-specific file types to reduce false positives from legitimate business workflows.
Review blind spots where SaaS audit logging, file metadata, or content inspection is unavailable or inconsistently retained.
Because no official detection logic is provided, document local assumptions, thresholds, and tested SaaS coverage.

Mitigation priorities

Ensure SaaS audit logging is enabled and retained for shared folder file activity.
Define policy for restricted or high-risk file types in cloud-shared folders.
Use available SaaS security controls for file scanning, sharing restrictions, and access review where supported.
Prepare incident response procedures to identify uploader, affected shared locations, and users who downloaded or interacted with the file.
Coordinate cloud security, IAM, SOC, and legal/compliance stakeholders for evidence preservation when suspicious shared-file activity is confirmed.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for SaaS environments. Its core decision value is validating whether defenders can reconstruct risky file propagation through cloud collaboration platforms. No relationship context, aliases, labels, or ATT&CK tactics were supplied, so this take avoids mapping it to a specific technique, campaign, or adversary behavior beyond the official description.

Official detection logic was not provided, and no relationships were supplied. Local SaaS platform capabilities, audit log availability, file inspection features, retention periods, and business-approved file types will determine whether this analytic can be implemented reliably.

Official MITRE ATT&CK definition

Analytic 1301

Detects upload of malicious or unusual file types into cloud-shared folders, followed by user downloads or interactions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 90fce980bb91e9d5...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`90fce980bb91…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1301
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams