AN1329: Analytic 1329
OAuth token granted to external app followed by download of high-volume files in OneDrive/Google Drive
Analyst context for executives and security teams
This analytic matters because it points to a common SaaS risk pattern: an external application receives OAuth access and is then followed by unusually high file downloads from cloud storage such as OneDrive or Google Drive. For leaders, the issue is not just file activity; it is whether the organization can see and govern third-party app consent before cloud data leaves approved control boundaries.
Executive priority
Prioritize this as an identity and SaaS data-risk validation item. Security leaders should ask whether external app consent is reviewed, whether high-volume cloud file downloads are monitored, and whether incident responders can quickly determine which user, app, token, and files were involved. This supports business continuity, compliance evidence, and data exposure decision-making, especially where cloud drives hold regulated or sensitive business information.
Technical view
SOC and detection teams should validate correlation between OAuth token grants to external applications and subsequent high-volume file downloads in OneDrive or Google Drive. Because ATT&CK provides no official detection logic for this analytic, teams need to define local thresholds, app trust criteria, user baselines, and time windows. IR teams should be prepared to review OAuth grant details, app publisher or client identity, affected user accounts, token scope, download volume, and file sensitivity.
Likely telemetry
- SaaS audit logs for OAuth app consent or token grant events
- Identity provider logs showing user, application, client ID, scopes, and consent time
- OneDrive and Google Drive file access and download audit events
- Cloud storage activity summaries showing download volume, file counts, and affected repositories
- User and application inventory data to distinguish approved from external or unfamiliar apps
Detection direction
- Correlate external OAuth token grants with high-volume downloads from OneDrive or Google Drive within a defined time window.
- Tune thresholds by user role, normal synchronization behavior, business workflows, and approved backup or migration tools to reduce false positives.
- Maintain an allowlist or risk classification for sanctioned OAuth applications, but review it regularly because trusted integrations can still create exposure if over-permissioned.
- Look for gaps where SaaS audit logging, OAuth consent events, or cloud file activity are not retained long enough for investigation.
- Prioritize alerts where broad OAuth scopes, unfamiliar external apps, sensitive file locations, or unusual user behavior coincide.
Mitigation priorities
- Establish governance for OAuth app consent, including review of external applications and requested scopes.
- Restrict user consent where appropriate and require administrative approval for higher-risk SaaS app permissions.
- Ensure OneDrive and Google Drive audit logging is enabled, retained, and accessible to SOC and IR workflows.
- Create incident response procedures for revoking OAuth grants, invalidating tokens, and assessing downloaded file exposure.
- Use data classification and access reviews to reduce the amount of sensitive content available through broad cloud-drive permissions.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique. The supplied description is specific enough to guide defensive validation around SaaS OAuth grants and cloud-drive downloads, but it does not include tactics, formal detection logic, thresholds, or related ATT&CK relationships. Local SaaS configuration and logging maturity will determine practical coverage.
Official detection content was not provided, and no relationship context was supplied. The take should therefore be treated as defensive guidance for validating the described analytic pattern, not as evidence of active exploitation, attribution, or guaranteed detection capability.
Analytic 1329
OAuth token granted to external app followed by download of high-volume files in OneDrive/Google Drive
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 79a9c33fee4d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1329Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.