AN0420: Analytic 0420
Forged SAML tokens may be used on Windows systems to authenticate to federated apps without normal Kerberos activity. Defenders may detect anomalous event correlation, where access to SaaS/O365 via SAML occurs without prior TGT requests or user logons.
Analyst context for executives and security teams
Analytic 0420 matters because it focuses on a high-value identity blind spot: federated application access that appears to succeed through SAML without the normal Windows/Kerberos activity defenders would expect beforehand. For executives and security leaders, the practical question is whether SaaS/O365 access can be explained by trustworthy identity telemetry, not just whether the application login was allowed.
Executive priority
Prioritize this as an identity and cloud-access validation issue. If the organization relies on federation for SaaS/O365, leaders should ask whether SOC and incident response teams can correlate SAML-based access with Windows logon and Kerberos evidence. The business value is stronger confidence in incident decisions, audit evidence for identity controls, and reduced risk that abnormal federated access is missed because logs are reviewed in separate silos.
Technical view
This analytic is Windows-focused and describes detecting access to federated apps such as SaaS/O365 via SAML when expected preceding evidence, such as TGT requests or user logons, is absent. SOC and detection teams should validate whether they can correlate identity-provider or cloud application sign-in events with Windows authentication telemetry over an appropriate time window. Because ATT&CK does not provide a formal detection query for this object, implementation should be treated as a correlation design and tuning exercise rather than a ready-made rule.
Likely telemetry
- SAML/federated application authentication events
- SaaS/O365 sign-in or access logs
- Windows user logon events
- Kerberos Ticket Granting Ticket request activity
- Identity provider authentication and federation logs
Detection direction
- Validate that SAML-based SaaS/O365 access can be joined to Windows logon and Kerberos TGT activity for the same user and relevant time period.
- Alert on anomalous access where federated application authentication occurs without expected prior Windows logon or TGT evidence, while accounting for legitimate federation flows and logging gaps.
- Tune for false positives caused by missing logs, delayed ingestion, service accounts, non-Windows access paths, session reuse, and users authenticating from devices not covered by Windows telemetry.
- Confirm that identity, endpoint, and cloud logs share consistent timestamps and identifiers; otherwise the correlation may appear suspicious simply because the data cannot be reliably joined.
- Use this analytic as a coverage test for identity/cloud monitoring rather than evidence of compromise by itself.
Mitigation priorities
- Ensure required Windows authentication, identity provider, and SaaS/O365 access logs are enabled, retained, and available to the SOC.
- Establish normal correlation patterns between federated access, user logons, and Kerberos activity before promoting detections to high-severity alerting.
- Review federation and SAML governance, including who can administer trust relationships and signing material, without assuming this analytic alone proves misuse.
- Include federated identity scenarios in incident response playbooks so analysts know how to validate suspicious SaaS/O365 access against Windows authentication evidence.
- Document log sources, retention, and correlation logic as compliance and control-evidence artifacts for identity access monitoring.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and no tactic or relationship context was provided. Its value is in highlighting correlation between federated application access and Windows authentication evidence. Local architecture matters: organizations with different federation flows, device mixes, or cloud logging coverage will need environment-specific baselines.
Official detection content is not provided, and no relationships, procedures, mitigations, or data component mappings were supplied. This take should not be read as claiming active exploitation, attribution, complete detection coverage, or applicability beyond the stated Windows platform and described SaaS/O365 SAML correlation scenario.
Analytic 0420
Forged SAML tokens may be used on Windows systems to authenticate to federated apps without normal Kerberos activity. Defenders may detect anomalous event correlation, where access to SaaS/O365 via SAML occurs without prior TGT requests or user logons.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e2cd71ef973a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0420Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.