T1213.001: Confluence

Confluence can become a high-value collection target because it often concentrates documentation that explains how the business and technology environment work: policies, diagrams, architecture notes, procedures, schedules, links to internal resources, code snippets, and sometimes development credentials. For leaders, the risk is not only loss of documents; it is that an intruder with Confluence access may gain the context needed to move faster through identity, cloud, network, and operational environments.

Executive priority

Treat Confluence as a business-critical information repository, not just a collaboration tool. Priority decisions should focus on whether sensitive spaces are access-controlled, whether account lifecycle controls remove stale access, whether audit logging can support incident response and compliance evidence, and whether users understand not to store credentials or other sensitive operational details in broadly accessible pages.

Technical view

This is an enterprise ATT&CK SaaS collection sub-technique under Data from Information Repositories. Because the official ATT&CK object does not provide detection text, SOC and detection teams should validate coverage around the related detection strategy, Programmatic and Excessive Access to Confluence Documentation, and around Confluence user access logging referenced by Atlassian. Practical validation should confirm visibility into user access patterns, unusual volume, broad space/page enumeration, and access by accounts whose permissions or business role do not match the content accessed. IR teams should be prepared to scope which Confluence spaces, pages, attachments, links, and possible embedded credentials were exposed.

Likely telemetry

Confluence user access logs, where enabled
Confluence audit or administrative logs for account, permission, and space changes
Authentication and identity-provider logs for SaaS access to Confluence
Records of page, space, attachment, or repository access where available
Signals of programmatic or excessive documentation access consistent with DET0358

Detection direction

Validate that Confluence logging is enabled and retained long enough to support investigation; the ATT&CK object points to Atlassian user access logging as a relevant source.
Tune detections for programmatic or excessive access to documentation, using DET0358 as the relationship-driven detection context.
Baseline normal access by role, team, project, and space to reduce false positives from legitimate engineering, audit, migration, or documentation projects.
Correlate Confluence access with identity-provider events, especially new sessions, unusual account use, or access by accounts with recently changed permissions.
Look for broad or rapid access across sensitive spaces, pages, attachments, diagrams, links, and documentation categories described by ATT&CK.

Mitigation priorities

Implement and maintain auditing for Confluence access and administrative activity, aligned to M1047 Audit.
Apply user account management controls, including least privilege and timely deactivation or permission removal for accounts that no longer need access, aligned to M1018 User Account Management.
Review access to sensitive Confluence spaces that contain architecture diagrams, network diagrams, procedures, schedules, internal links, source snippets, or development documentation.
Use user training to reduce storage of testing/development credentials and other sensitive operational material in Confluence, aligned to M1017 User Training.
Include Confluence in incident response playbooks, evidence retention plans, access reviews, and compliance evidence collection.

Analyst notes and limits

ATT&CK identifies this as a SaaS collection behavior and specifically notes Confluence may contain information useful for follow-on objectives, including unsecured credentials. Relationship context includes mitigations for User Training, User Account Management, and Audit; a detection strategy for programmatic and excessive Confluence documentation access; group use by LAPSUS$; and software context involving TruffleHog as a secrets-discovery tool. These relationships should inform prioritization without implying current activity in any specific environment.

The official ATT&CK detection field is not provided, so detection guidance depends on the supplied relationship to DET0358, the Atlassian logging reference, and local Confluence logging capabilities. Actual risk depends on how the organization uses Confluence, what content is stored there, which logs are enabled, retention periods, identity integration, and permission design.

Official MITRE ATT&CK definition

Confluence

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

* Policies, procedures, and standards * Physical / logical network diagrams * System architecture diagrams * Technical system documentation * Testing / development credentials (i.e., Unsecured Credentials) * Work / project schedules * Source code snippets * Links to network shares and other internal resources

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1213	Data from Information Repositories	This object subtechnique of Data from Information Repositories.

Associated objects

Groups, software, and campaigns

G1004: LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]

S9009: TruffleHog

TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]

IaaSLinuxSaaS

Relationship explorer

All related ATT&CK context

uses · Group G1004: LAPSUS$ Enterprise detects · Detection Strategy DET0358: Programmatic and Excessive Access to Confluence Documentation Enterprise mitigates · Mitigation M1017: User Training Enterprise mitigates · Mitigation M1047: Audit Enterprise subtechnique of · Technique T1213: Data from Information Repositories Enterprise mitigates · Mitigation M1018: User Account Management Enterprise uses · Tool S9009: TruffleHog Enterprise

Mitigations

Mitigation direction

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Feb 14, 2020, 13:09 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 702b0a60b3281b3f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`702b0a60b328…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Atlassian Confluence Logging

Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.
Open source URL
[2]
mitre-attack T1213.001
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams