Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0795: Analytic 0795

Monitor SaaS mail platforms (Google Workspace, M365, Okta-integrated apps) for SendAs/SendOnBehalfOf operations where the delegated permissions are unusual or newly granted. Detect impersonation attempts where adversaries configure rules to auto-forward or auto-reply with impersonated content.

EnterpriseAN0795AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because delegated email sending in SaaS mail platforms can let one account send messages as, or on behalf of, another user. For executives and security leaders, the risk is not just mailbox abuse; it is loss of trust in internal communications, potential fraud enablement, and harder incident scoping when permissions change quietly. The key decision value is whether the organization can prove who granted SendAs/SendOnBehalfOf rights, when they changed, and whether those permissions were followed by suspicious forwarding, auto-reply, or impersonated messaging behavior.

Executive priority

Prioritize this where SaaS email is business-critical and delegated mailbox access is common, such as executive assistants, shared mailboxes, help desks, finance operations, or automated workflows. Leaders should ask whether identity, email, and SaaS audit logs are retained and reviewable enough to support incident response and audit evidence. This is also a control-governance issue: excessive or unreviewed delegation can turn normal collaboration features into an impersonation and business process risk.

Technical view

Validate monitoring for SaaS mail platforms identified in the ATT&CK object: Google Workspace, Microsoft 365, and Okta-integrated apps. Detection engineering should focus on SendAs and SendOnBehalfOf operations where delegated permissions are unusual for the user, newly granted, or followed by auto-forwarding or auto-reply rules using impersonated content. Because no official ATT&CK detection logic is supplied, teams need to define local baselines for expected delegation patterns, normal administrative workflows, and sanctioned shared-mailbox use.

Likely telemetry

  • SaaS mail audit logs for SendAs and SendOnBehalfOf activity
  • Administrative audit logs showing newly granted or modified delegated mailbox permissions
  • Mailbox rule changes, especially auto-forward and auto-reply creation or modification
  • Identity provider logs for Okta-integrated application access and administrative actions
  • User, mailbox, and group metadata needed to determine whether delegation is expected or unusual

Detection direction

  • Baseline legitimate delegated sending relationships by role, mailbox type, department, and business process before alerting aggressively.
  • Alert on newly granted delegated permissions followed by SendAs or SendOnBehalfOf use, especially when paired with auto-forwarding or auto-reply rule changes.
  • Correlate permission changes with the actor who made the change, the target mailbox, subsequent send activity, and any rule configuration changes.
  • Tune for common false positives such as executive assistant workflows, shared mailboxes, service accounts, help desk queues, and approved automation.
  • Review blind spots in SaaS audit retention, incomplete ingestion from Google Workspace, Microsoft 365, or Okta-integrated apps, and lack of historical permission state needed to identify 'newly granted' access.

Mitigation priorities

  • Maintain an inventory of approved delegated mailbox relationships and require periodic review for high-risk users and shared mailboxes.
  • Restrict who can grant SendAs or SendOnBehalfOf permissions and ensure those administrative actions are logged and reviewable.
  • Apply change-control or approval processes for delegation involving executives, finance, legal, incident response, or other sensitive functions.
  • Review and govern auto-forwarding and auto-reply rule creation, especially where rules can send impersonated or externally directed content.
  • Ensure SaaS mail and identity logs are retained long enough to support incident response, compliance evidence, and post-incident reconstruction.
Analyst notes and limits

ATT&CK provides a clear analytic intent but no formal detection logic, tactic mapping, or relationship context for this object. The strongest defensive value comes from correlating delegated-send permission changes with mailbox rule activity and subsequent send behavior. Local business context is essential because delegated sending is often legitimate in SaaS mail environments.

This take is limited to the supplied STIX fields, official description, external reference, and absence of relationships. It does not assert active exploitation, specific adversary use, impact, or existing detection coverage. Exact event names, APIs, log fields, thresholds, and retention requirements must be validated in the organization’s Google Workspace, Microsoft 365, and Okta-integrated app configurations.

Official MITRE ATT&CK definition

Analytic 0795

Monitor SaaS mail platforms (Google Workspace, M365, Okta-integrated apps) for SendAs/SendOnBehalfOf operations where the delegated permissions are unusual or newly granted. Detect impersonation attempts where adversaries configure rules to auto-forward or auto-reply with impersonated content.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
53968a03ced49c75...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 53968a03ced4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0795
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use