Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1546: Analytic 1546

Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.

EnterpriseAN1546AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting abuse of legitimate accounts through identity provider logs. For leaders, the practical value is that many serious incidents begin with a valid login rather than obvious malware. Signals such as geographic anomalies, impossible travel, risky sign-ins, and repeated MFA failures can help distinguish normal workforce access from account misuse that may threaten business continuity and sensitive systems.

Executive priority

Prioritize this as an identity and SOC readiness control. Executives should ask whether the organization can reliably detect suspicious use of valid accounts in the identity provider, whether MFA failure patterns are reviewed quickly, and whether identity alerts produce usable evidence for incident response, audit, and access-risk decisions. This is especially important where cloud or SaaS access depends heavily on the IdP.

Technical view

Validate that IdP logs are collected, retained, normalized, and monitored for the analytic conditions named by ATT&CK: geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures. Because no ATT&CK detection logic or relationships are supplied, teams should test this against local identity baselines, expected travel patterns, VPN/proxy behavior, and MFA retry norms before treating alerts as high confidence.

Likely telemetry

  • Identity provider sign-in logs
  • User account identifiers and authentication outcomes
  • Source IP address and derived geolocation data
  • Timestamps sufficient to evaluate impossible travel
  • Risky sign-in indicators from the IdP

Detection direction

  • Confirm that IdP authentication logs are onboarded to the SOC or SIEM with consistent user, time, IP, geolocation, risk, and MFA fields.
  • Tune geographic anomaly and impossible-travel logic for known business travel, remote work, VPNs, proxies, and mobile networks to reduce false positives.
  • Review repeated MFA attempts or failures as potential account abuse indicators, while accounting for user error, device changes, and help desk activity.
  • Correlate suspicious sign-ins with subsequent access activity where available, but do not assume compromise from the analytic alone.
  • Document gaps where the IdP does not provide risky sign-in scoring, MFA detail, or reliable geolocation.

Mitigation priorities

  • Ensure identity provider logging and retention are sufficient for investigation and compliance evidence.
  • Enforce and monitor MFA, with attention to repeated prompts, failures, and unusual authentication patterns.
  • Maintain current user access baselines, including expected locations and remote access patterns.
  • Define SOC triage and incident response playbooks for suspected valid-account abuse in the IdP.
  • Periodically validate alert logic using approved internal testing or historical benign cases to confirm usability.
Analyst notes and limits

The supplied object is a detection analytic for the Identity Provider platform. It has no mapped tactics, no relationships, and no official detection query. Treat it as guidance for what identity signals to validate rather than as a complete detection package.

This take is limited to the official STIX fields and external reference supplied. It does not establish attacker attribution, active exploitation, affected products, guaranteed detection coverage, or specific response actions beyond identity-provider monitoring and validation needs.

Official MITRE ATT&CK definition

Analytic 1546

Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f680f111b8b71589...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f680f111b8b7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1546
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use