DET0855: Detection of Business Relationships

DET0855 is a detection strategy for adversary reconnaissance of an organization’s business relationships, such as suppliers, contractors, managed service p...

EnterpriseDET0855Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0855 is a detection strategy for adversary reconnaissance of an organization’s business relationships, such as suppliers, contractors, managed service providers, connected third parties, and other partner dependencies. This matters because targeting often starts outside the firewall: public or semi-public knowledge of trusted relationships can help an adversary choose a softer entry point, craft convincing social engineering, or understand operational dependencies before any direct intrusion occurs.

Executive priority

Treat this as a supply-chain and third-party risk visibility problem, not only a SOC alerting problem. Leaders should ask whether the organization knows which business relationships are externally visible, which partners have elevated or connected access, and whether incident response plans account for partner-originated risk. The decision value is in prioritizing third-party access reviews, vendor dependency mapping, and evidence that security teams can recognize reconnaissance patterns before they become an identity, cloud, or operational incident.

Technical view

The supplied ATT&CK object has no official detection text and no platform scope, so defenders should validate coverage around the related technique: T1591.002 Business Relationships under reconnaissance on PRE. SOC and threat intelligence teams should focus on evidence that an external party is researching, enumerating, or abusing information about trusted vendors, MSPs, contractors, domains, supply chains, or shipment paths. Detection engineering should avoid assuming endpoint telemetry is sufficient; this behavior may be observable through external monitoring, web analytics, brand/domain monitoring, phishing-intel context, third-party access reviews, and incident reports involving partner relationships.

Likely telemetry

External web and content analytics for pages that expose partner, supplier, contractor, or integration details
Threat intelligence reporting referencing the organization’s vendors, MSPs, contractors, supply chain, or trusted domains
Brand, domain, and certificate monitoring for impersonation or lookalike infrastructure involving business partners
Email security and phishing reports that reference trusted third parties or business relationships
Identity and access governance records for third-party, contractor, MSP, or partner accounts

Detection direction

Map which business relationships are externally disclosed and compare that exposure against phishing themes, suspicious domain registrations, and partner-referencing outreach.
Tune detections to distinguish normal vendor communications and procurement activity from unusual partner-themed reconnaissance or impersonation patterns.
Validate that SOC workflows can pivot from a suspicious partner reference to identity access, third-party connectivity, and vendor ownership records.
Use the relationship to T1591.002 to frame this as pre-compromise reconnaissance; absence of endpoint alerts does not mean absence of risk.
Document blind spots where partner access, MSP connectivity, or contractor identities are not centrally inventoried or monitored.

Mitigation priorities

Maintain an authoritative inventory of third parties, contractors, MSPs, connected domains, and privileged partner access.
Limit public disclosure of sensitive relationship details where business needs do not require publication.
Review and constrain third-party access using least privilege, ownership, periodic recertification, and rapid offboarding.
Include partner-themed scenarios in incident response and phishing triage playbooks.
Coordinate vendor risk, identity, SOC, and threat intelligence processes so reconnaissance of business relationships can drive timely control review.

Analyst notes and limits

This object is a detection strategy, not a technique, and the official ATT&CK fields supplied contain no description, detection logic, platforms, or tactics. The practical interpretation comes from its stated relationship: it detects T1591.002 Business Relationships, a reconnaissance technique concerning collection of information about third parties, supply chains, contractors, MSPs, and related domains.

Coverage cannot be asserted from this object alone. Local validation is required to determine which business relationships are public, which third parties have access, what telemetry is collected, and whether SOC or threat intelligence processes can identify partner-focused reconnaissance. No active exploitation, attribution, platform-specific detection, or guaranteed control effectiveness is implied by the supplied ATT&CK data.

Official MITRE ATT&CK definition

Detection of Business Relationships

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1591.002	Business Relationships Sub-technique	This object detects Business Relationships.

Relationship explorer

All related ATT&CK context

detects · Technique T1591.002: Business Relationships Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: b3002830b48be297...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`b3002830b48b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0855
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use