Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1487: Analytic 1487

Detects suspicious OAuth application integrations within Office 365 or Google Workspace environments, such as new app registrations, unexpected consent grants, or privilege assignments. Defenders should correlate between application creation/modification events and associated user or service principal activity to identify persistence via app integrations.

EnterpriseAN1487AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because OAuth app integrations in Office 365 and Google Workspace can become a durable access path if consent grants, app registrations, or privilege assignments are not governed and monitored. For executives and security leaders, the decision value is whether the organization can prove who is allowed to create or approve app integrations, whether suspicious changes are visible to the SOC, and whether incident responders can quickly connect an app change to the user or service principal activity around it.

Executive priority

Prioritize this as an identity and cloud/SaaS control validation item. The business risk is not simply a new application appearing; it is the possibility of persistent access through trusted productivity-suite integrations. Leaders should ask whether OAuth consent and app registration workflows are controlled, logged, reviewed, and available as evidence for audit, incident response, and managed detection operations.

Technical view

For Office Suite environments, validate monitoring for suspicious OAuth application integrations in Office 365 and Google Workspace. The supplied analytic specifically calls out new app registrations, unexpected consent grants, privilege assignments, and correlation between application creation or modification events and associated user or service principal activity. SOC and detection teams should focus on whether these events can be joined into a timeline that shows who created or modified the app, what permissions were granted, which identity approved consent, and what activity followed.

Likely telemetry

  • Office 365 application registration and modification events
  • Google Workspace application integration or OAuth app activity
  • OAuth consent grant events
  • Application privilege or permission assignment records
  • User activity associated with app creation, modification, or consent

Detection direction

  • Validate that app creation, app modification, consent grant, and privilege assignment events are collected and retained from Office 365 and Google Workspace where used.
  • Correlate application changes with the initiating user or service principal rather than alerting only on isolated app events.
  • Tune for unexpected consent grants or privilege assignments relative to approved business applications and known administrative workflows.
  • Review false positives from legitimate SaaS onboarding, help desk activity, automation, and sanctioned integrations.
  • Identify blind spots where OAuth consent activity is logged in one system but not forwarded to the SIEM or managed detection platform.

Mitigation priorities

  • Establish and document ownership for OAuth app registration and consent governance in Office 365 and Google Workspace.
  • Restrict who can create applications, grant consent, or assign privileged permissions where the platform and business process allow.
  • Maintain an approved inventory of OAuth applications and expected permission scopes for review and investigation context.
  • Require periodic review of consent grants, app privileges, and service principal activity.
  • Ensure incident response playbooks include steps to investigate, disable, or revoke suspicious app integrations and related permissions.
Analyst notes and limits

This object is a detection analytic, not a technique description. It is most useful as a validation prompt for SaaS identity telemetry and correlation logic. The key relationship implied by the official description is between app creation or modification events and the user or service principal activity surrounding them, but no formal ATT&CK relationship context was supplied.

The official detection field is not provided, tactics are not specified, and no relationships were supplied. This take does not assert active exploitation, attribution, impact, or existing coverage. Local Office 365 or Google Workspace configuration, logging availability, retention, and consent governance must be reviewed to determine actual risk and detection maturity.

Official MITRE ATT&CK definition

Analytic 1487

Detects suspicious OAuth application integrations within Office 365 or Google Workspace environments, such as new app registrations, unexpected consent grants, or privilege assignments. Defenders should correlate between application creation/modification events and associated user or service principal activity to identify persistence via app integrations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b4e470534f3792c9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b4e470534f37…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1487
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use