AN1505: Analytic 1505
Detects unexpected access or usage of cloud productivity tools (e.g., downloading large numbers of files, creating external shares) by internal users.
Analyst context for executives and security teams
This analytic is about spotting unusual use of SaaS cloud productivity tools by internal users, such as unusually large file downloads or creation of external shares. For leaders, the value is not just detecting “bad behavior”; it is validating whether the organization can see and investigate activity that may expose sensitive business data through everyday collaboration platforms.
Executive priority
Prioritize this where SaaS productivity suites hold regulated, confidential, or operationally critical data. The key business question is whether security, IT, and compliance teams can produce evidence of who accessed files, what was shared externally, and whether the activity was expected. This supports incident triage, data exposure assessment, audit readiness, and decisions about tightening sharing or download controls without unnecessarily disrupting normal collaboration.
Technical view
SOC and detection teams should validate monitoring for unexpected SaaS productivity activity by internal users, especially high-volume downloads and external sharing events. Because ATT&CK provides no official detection logic, teams should define local baselines for normal user, department, role, and service behavior, then tune alerts around meaningful deviations. Incident responders should ensure alerts preserve enough context to assess account legitimacy, file sensitivity, destination or share scope, and whether the activity aligns with business need.
Likely telemetry
- SaaS audit logs for file access, download, sharing, and permission changes
- User identity and authentication logs associated with SaaS access
- External sharing events, link creation, and collaborator invitation records
- File metadata such as owner, repository, sensitivity label where available, and volume of files accessed
- Administrative or compliance logs from cloud productivity platforms
Detection direction
- Validate that SaaS audit logging is enabled and retained long enough to support investigations.
- Create baselines for normal download volume and sharing behavior by user, group, department, and business function.
- Tune for combinations of events, such as large download volume plus external sharing, rather than relying only on single-event thresholds.
- Account for false positives from legitimate migrations, legal discovery, backups, finance reporting, or approved partner collaboration.
- Confirm analysts can distinguish internal user activity from compromised-account activity using identity, session, and access context.
Mitigation priorities
- Inventory which SaaS productivity tools contain sensitive or business-critical information.
- Ensure audit logging, retention, and alert routing are configured for file access and external sharing events.
- Review and enforce policies for external sharing, public links, and bulk downloads based on business need.
- Use identity and access governance to keep user permissions aligned with role and data sensitivity.
- Document investigation and evidence procedures for suspected SaaS data exposure events.
Analyst notes and limits
This object is a detection analytic for SaaS environments. The supplied ATT&CK description specifically references unexpected access or usage of cloud productivity tools by internal users, including large file downloads and external shares. No tactics, relationships, or official detection logic were supplied, so implementation should be driven by local SaaS audit capabilities and business-specific baselines.
The ATT&CK object is sparse: tactics are not specified, official detection content is not provided, and no relationship context was supplied. This take does not infer a specific vendor, threat actor, technique mapping, impact, or active exploitation. Local environment evidence is required to determine detection feasibility and priority.
Analytic 1505
Detects unexpected access or usage of cloud productivity tools (e.g., downloading large numbers of files, creating external shares) by internal users.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 305f6116a769… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1505Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.