Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1566: Analytic 1566

Suspicious access to Microsoft Teams chat messages via eDiscovery, Graph API, or export methods after rare or compromised sign-in. Often associated with excessive file access, sensitive content review, or anomaly from expected user behavior.

EnterpriseAN1566AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting suspicious access to Microsoft Teams chat content through eDiscovery, Microsoft Graph API, or export-style methods, especially when it follows a rare or potentially compromised sign-in. For leaders, the significance is that Teams often contains sensitive business discussions, legal matters, credentials, customer data, and incident response coordination. Unusual bulk or privileged access to chat messages can become a confidentiality, compliance, and investigation-readiness issue even if no malware is present.

Executive priority

Prioritize this as an identity, collaboration security, and compliance evidence question: can the organization prove who accessed Teams messages, by what method, from which sign-in context, and whether access was consistent with job role and legal/compliance process? Security leaders should confirm that monitoring covers eDiscovery, Graph API, and export activity, not only endpoint alerts. This is material for incident response scoping, insider-risk review, audit defensibility, and protecting sensitive communications in Office Suite environments.

Technical view

SOC and detection teams should validate visibility for Microsoft Teams message access via eDiscovery, Graph API, and export methods, then correlate that activity with rare, anomalous, or compromised sign-in indicators. Because ATT&CK provides no official detection logic for this analytic, teams should build local baselines for expected users, applications, roles, locations, volumes, and timing. Review whether excessive file access, sensitive content review, or deviations from normal user behavior appear near the same session or account activity.

Likely telemetry

  • Office Suite audit logs covering Microsoft Teams message access
  • eDiscovery activity logs and case/export records
  • Microsoft Graph API access logs or application audit records
  • Export/download activity associated with Teams chat content
  • Identity sign-in logs including rare sign-in, location, device, MFA, and risk context

Detection direction

  • Correlate Teams chat access through eDiscovery, Graph API, or export methods with rare or suspicious sign-in context.
  • Baseline normal eDiscovery and Graph API usage by role, application, volume, time, and source location to reduce false positives from legitimate legal, compliance, or administrative work.
  • Flag unusual combinations such as new app/client use, unexpected user role, abnormal message volume, sensitive content access, or excessive file access near the same session.
  • Validate whether logs distinguish interactive user activity from application/API-driven access; this is a common blind spot for collaboration-platform monitoring.
  • Create investigation playbooks that separate authorized compliance/legal collection from compromised-account or inappropriate-access scenarios.

Mitigation priorities

  • Ensure least-privilege access for eDiscovery, export, and Graph API permissions related to Teams content.
  • Require strong identity controls for accounts that can access or export collaboration data, including appropriate MFA and conditional access policies where available in the environment.
  • Review and govern application permissions that can read Teams messages or related content.
  • Maintain audit logging and retention sufficient for compliance review and incident reconstruction.
  • Define approval, documentation, and monitoring expectations for legitimate eDiscovery and export workflows.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and no relationship context or official detection logic was provided. The strongest decision value is to test whether collaboration-content access is visible and correlated with identity risk. Local business context is essential because legitimate eDiscovery and compliance activity can look sensitive by design.

This take is limited to the official fields supplied: Office Suite platform, Teams chat message access via eDiscovery, Graph API, or export methods, and association with rare or compromised sign-in plus possible excessive file or sensitive content access. No tactics, relationships, vendor-specific events, detection query, impact statement, or attribution were provided.

Official MITRE ATT&CK definition

Analytic 1566

Suspicious access to Microsoft Teams chat messages via eDiscovery, Graph API, or export methods after rare or compromised sign-in. Often associated with excessive file access, sensitive content review, or anomaly from expected user behavior.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
200684c494fd9c41...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 200684c494fd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1566
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use