AN1581: Analytic 1581
Detects user activity that shares or syncs files with external domains via link generation, OneDrive external sharing, or file transfer actions involving non-whitelisted partner tenants.
Analyst context for executives and security teams
This analytic matters because external file sharing from an office suite is a common point where business collaboration and data exposure risk meet. The behavior described is not inherently malicious: users may generate links, sync OneDrive content, or transfer files to external domains as part of normal work. The decision value is whether the organization can distinguish approved partner collaboration from unapproved sharing to non-whitelisted external tenants.
Executive priority
Security leaders should treat this as a governance and resilience question: can the organization prove who is sharing files externally, with which domains or tenants, and whether those destinations are approved? This supports data protection, audit evidence, incident scoping, and partner-access oversight. Priority should be highest for environments where office-suite file sharing contains regulated, sensitive, contractual, or operationally critical information.
Technical view
For SOC, detection engineering, and IR teams, validate whether Office Suite activity logs capture link generation, OneDrive external sharing, file sync events, file transfer actions, destination domains, tenant identifiers, user identity, file metadata, and whitelist or approved-partner status. Because no official detection logic is provided and no ATT&CK tactics are specified, teams should implement this as a policy-aware anomaly or rule-based analytic focused on external sharing to non-whitelisted partner tenants rather than treating every external share as hostile.
Likely telemetry
- Office Suite audit logs for file sharing and link generation
- OneDrive external sharing and sync activity records
- File transfer or collaboration activity logs involving external domains
- User identity, account, and session context associated with sharing actions
- Destination domain and external tenant identifiers
Detection direction
- Validate that logs include the external domain or tenant needed to compare activity against approved partner lists.
- Tune detections to separate normal business collaboration from sharing to non-whitelisted or unexpected external tenants.
- Correlate repeated sharing, bulk sync, or unusual user activity with identity context and file sensitivity where available.
- Review false positives from legitimate new vendors, mergers, temporary projects, or unmanaged partner onboarding.
- Confirm whether link generation events are logged even when the recipient has not accessed the file.
Mitigation priorities
- Define and maintain an approved external sharing and partner tenant policy.
- Restrict or require approval for external sharing where business sensitivity warrants it.
- Ensure Office Suite audit logging is enabled and retained long enough to support investigation and compliance needs.
- Use identity and access controls to limit who can create external links or share with non-approved domains.
- Apply data classification or sensitivity labels where available to prioritize review of higher-risk sharing.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Office Suite activity, focused on external file sharing or sync via link generation, OneDrive external sharing, or file transfer actions involving non-whitelisted partner tenants. There are no supplied relationships, aliases, tactics, or official detection logic, so this take emphasizes validation of telemetry, policy context, and detection design rather than specific ATT&CK technique mapping.
This assessment is limited to the provided STIX fields and external reference. It does not establish that the behavior is malicious, actively exploited, attributed to any threat actor, or covered by any specific tool. Local logging configuration, partner allowlists, file sensitivity data, and business collaboration patterns are required to determine practical risk and detection quality.
Analytic 1581
Detects user activity that shares or syncs files with external domains via link generation, OneDrive external sharing, or file transfer actions involving non-whitelisted partner tenants.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 43c947eff4ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1581Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.