AN1426: Analytic 1426
Use of OAuth tokens by third-party apps to access user mail, calendar, or SharePoint resources where the token was granted recently or via spearphishing.
Analyst context for executives and security teams
This analytic focuses on recently granted OAuth tokens used by third-party Office Suite apps to access user mail, calendar, or SharePoint resources, especially where consent may have been obtained through spearphishing. For leaders, the significance is that access can occur through authorized-looking tokens rather than obvious password misuse, so identity governance, app consent review, and Office telemetry become central to understanding exposure.
Executive priority
Prioritize this where Office Suite mail, calendar, and SharePoint data are business-critical or regulated. Executives should ask whether the organization can prove which third-party apps have access, who granted consent, when the grant occurred, and whether suspicious grants can be reviewed and revoked quickly. This is also relevant to compliance evidence because OAuth consent and app access can create durable access paths to sensitive collaboration data.
Technical view
SOC, identity, and IR teams should validate visibility into OAuth token use by third-party apps against Office Suite resources. Because the supplied ATT&CK object provides no official detection logic, teams should focus on confirming they can correlate recent consent grants with subsequent access to mail, calendar, or SharePoint resources, and distinguish expected business applications from newly authorized or unusual third-party apps. Investigation workflows should include consent timing, granting user, app identity, requested resource scope, and whether the grant followed a suspected spearphishing event.
Likely telemetry
- OAuth consent grant records for third-party applications
- OAuth token usage or sign-in activity associated with Office Suite resources
- User mail access logs
- Calendar access logs
- SharePoint access logs
Detection direction
- Validate that recent OAuth grants can be queried and correlated with resource access to mail, calendar, and SharePoint.
- Tune review logic around newly granted third-party apps, unusual permission scopes, or access by apps not previously seen in the environment.
- Use spearphishing context, where available, to prioritize grants made shortly after suspicious email activity.
- Account for false positives from legitimate SaaS integrations, productivity tools, and approved business applications.
- Identify blind spots where token usage, consent events, or SharePoint/mail/calendar access logs are not retained long enough for investigation.
Mitigation priorities
- Maintain an inventory of approved third-party Office Suite applications and their granted permissions.
- Review and restrict user consent processes where business requirements allow.
- Establish a rapid process to investigate and revoke suspicious OAuth grants or tokens.
- Require periodic access reviews for apps with mail, calendar, or SharePoint permissions.
- Ensure incident response playbooks include OAuth app consent review, token revocation, and affected-resource scoping.
Analyst notes and limits
The ATT&CK object is a detection analytic for Office Suite environments and specifically references OAuth tokens granted recently or via spearphishing. No tactics, relationships, or official detection logic were supplied, so this take emphasizes validation questions and telemetry requirements rather than a specific rule.
This assessment is limited to the supplied STIX fields and external reference. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local Office Suite configuration, consent policies, logging retention, and approved application inventory are required to determine real exposure and detection quality.
Analytic 1426
Use of OAuth tokens by third-party apps to access user mail, calendar, or SharePoint resources where the token was granted recently or via spearphishing.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a4ce6b92a958… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1426Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.