diff --git a/PowerShell/ScubaGear/baselines/aad.md b/PowerShell/ScubaGear/baselines/aad.md
index 46e420fc38..0dce42b13d 100644
--- a/PowerShell/ScubaGear/baselines/aad.md
+++ b/PowerShell/ScubaGear/baselines/aad.md
@@ -66,6 +66,13 @@ Legacy authentication SHALL be blocked.
 <!--Policy: MS.AAD.1.1v1; Criticality: SHALL -->
 - _Rationale:_ The security risk of allowing legacy authentication protocols is they do not support MFA. Blocking legacy protocols reduces the impact of user credential theft.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
+    - [T1110.001: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
+    - [T1110.002: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
+    - [T1110.003: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T078/004/)
 
 ### Resources
 
@@ -101,6 +108,9 @@ Users detected as high risk SHALL be blocked.
 - _Rationale:_ Blocking high-risk users may prevent compromised accounts from accessing the tenant.
 - _Last modified:_ June 2023
 - _Note:_ Users identified as high risk by Azure AD Identity Protection can be blocked from accessing the system via an Azure AD Conditional Access policy. A high-risk user will be blocked until an administrator remediates their account.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T078/004/)
 
 #### MS.AAD.2.2v1
 A notification SHOULD be sent to the administrator when high-risk users are detected.
@@ -108,6 +118,9 @@ A notification SHOULD be sent to the administrator when high-risk users are dete
 <!--Policy: MS.AAD.2.2v1; Criticality: SHOULD -->
 - _Rationale:_ Notification enables the admin to monitor the event and remediate the risk. This helps the organization proactively respond to cyber intrusions as they occur.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T078/004/)
 
 #### MS.AAD.2.3v1
 Sign-ins detected as high risk SHALL be blocked.
@@ -115,6 +128,9 @@ Sign-ins detected as high risk SHALL be blocked.
 <!--Policy: MS.AAD.2.3v1; Criticality: SHALL -->
 - _Rationale:_ This prevents compromised accounts from accessing the tenant.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T078/004/)
 
 ### Resources
 
@@ -184,6 +200,10 @@ If on-premises PIV authentication and federation to Azure AD is used, [enforce P
 <!--Policy: MS.AAD.3.1v1; Criticality: SHALL -->
 - _Rationale:_ Weaker forms of MFA do not protect against sophisticated phishing attacks. By enforcing methods resistant to phishing, those risks are minimized.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 #### MS.AAD.3.2v1
 If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.
@@ -192,13 +212,24 @@ If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL
 - _Rationale:_ This is a stopgap security policy to help protect the tenant if phishing-resistant MFA has not been enforced. This policy requires MFA enforcement, thus reducing single-form authentication risk.
 - _Last modified:_ June 2023
 - _Note:_ If a conditional access policy has been created enforcing phishing-resistant MFA, then this policy is not necessary. This policy does not dictate the specific MFA method.
-
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
+    - [T1110.001: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
+    - [T1110.002: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
+    - [T1110.003: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+    
 #### MS.AAD.3.3v1
 If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.
 
 <!--Policy: MS.AAD.3.3v1; Criticality: SHALL -->
 - _Rationale:_ This stopgap security policy helps protect the tenant when phishing-resistant MFA has not been enforced and Microsoft Authenticator is used. This policy helps improve the security of Microsoft Authenticator by showing user context information, which helps reduce MFA phishing compromises.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
+    - [T1110.001: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
+    - [T1110.002: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
+    - [T1110.003: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+
 
 #### MS.AAD.3.4v1
 The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.
@@ -214,6 +245,10 @@ The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SH
 - _Rationale:_ SMS, voice call, and email OTP are the weakest authenticators. This policy forces users to use stronger MFA methods.
 - _Last modified:_ June 2023
 - _Note:_ This policy is only applicable if the tenant has their Manage Migration feature set to Migration Complete.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1621: Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 #### MS.AAD.3.6v1
 Phishing-resistant MFA SHALL be required for highly privileged roles.
@@ -222,6 +257,12 @@ Phishing-resistant MFA SHALL be required for highly privileged roles.
 - _Rationale:_ This is a backup security policy to help protect privileged access to the tenant if the conditional access policy, which requires MFA for all users, is disabled or misconfigured.
 - _Last modified:_ June 2023
 - _Note:_ Refer to the Highly Privileged Roles section at the top of this document for a reference list of roles considered highly privileged.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T078/004/)
 
 #### MS.AAD.3.7v1
 Managed devices SHOULD be required for authentication.
@@ -229,6 +270,9 @@ Managed devices SHOULD be required for authentication.
 <!--Policy: MS.AAD.3.7v1; Criticality: SHOULD -->
 - _Rationale:_ The security risk of an adversary authenticating to the tenant from their own device is reduced by requiring a managed device to authenticate. Managed devices are under the provisioning and control of the agency. [OMB-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) states, "When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user."
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T078/004/)
 
 #### MS.AAD.3.8v1
 Managed Devices SHOULD be required to register MFA.
@@ -236,6 +280,11 @@ Managed Devices SHOULD be required to register MFA.
 <!--Policy: MS.AAD.3.8v1; Criticality: SHOULD -->
 - _Rationale:_ Reduce risk of an adversary using stolen user credentials and then registering their own MFA device to access the tenant by requiring a managed device provisioned and controlled by the agency to perform registration actions. This prevents the adversary from using their own unmanaged device to perform the registration.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T078/004/)
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.005: Device Registration](https://attack.mitre.org/techniques/T1098/005/)
 
 ### Resources
 
@@ -349,6 +398,9 @@ Security logs SHALL be sent to the agency's security operations center for monit
 - _Last modified:_ June 2023
 - _Note:_ The following logs (configured in Azure AD diagnostic settings), are required: `AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, ServicePrincipalRiskEvents, EnrichedOffice365AuditLogs, MicrosoftGraphActivityLogs`. If managed identities are used for Azure resources, also send the `ManagedIdentitySignInLogs` log type. If the Azure AD Provisioning Service is used to provision users to software-as-a-service (SaaS) apps or other systems, also send the `ProvisioningLogs` log type.
 - _Note:_ Agencies can benefit from security detection capabilities offered by the CISA Cloud Log Aggregation Warehouse (CLAW) system. Agencies are urged to send the logs to CLAW. Contact CISA at cyberliason@cisa.dhs.gov to request integration instructions.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
 
 ### Resources
 
@@ -379,6 +431,10 @@ Only administrators SHALL be allowed to register applications.
 <!--Policy: MS.AAD.5.1v1; Criticality: SHALL -->
 - _Rationale:_ Application access for the tenant presents a heightened security risk compared to interactive user access because applications are typically not subject to critical security protections, such as MFA policies. Reduce risk of unauthorized users installing malicious applications into the tenant by ensuring that only specific privileged users can register applications.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.001: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.5.2v1
 Only administrators SHALL be allowed to consent to applications.
@@ -386,6 +442,10 @@ Only administrators SHALL be allowed to consent to applications.
 <!--Policy: MS.AAD.5.2v1; Criticality: SHALL -->
 - _Rationale:_ Limiting applications consent to only specific privileged users reduces risk of users giving insecure applications access to their data via [consent grant attacks](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide).
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.001: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.5.3v1
 An admin consent workflow SHALL be configured for applications.
@@ -393,6 +453,10 @@ An admin consent workflow SHALL be configured for applications.
 <!--Policy: MS.AAD.5.3v1; Criticality: SHALL -->
 - _Rationale:_ Configuring an admin consent workflow reduces the risk of the previous policy by setting up a process for users to securely request access to applications necessary for business purposes. Administrators have the opportunity to review the permissions requested by new applications and approve or deny access based on a risk assessment.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.001: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.5.4v1
 Group owners SHALL NOT be allowed to consent to applications.
@@ -400,6 +464,10 @@ Group owners SHALL NOT be allowed to consent to applications.
 <!--Policy: MS.AAD.5.4v1; Criticality: SHALL -->
 - _Rationale:_ In M365, group owners and team owners can consent to applications accessing data in the tenant. By requiring consent requests to go through an approval workflow, risk of exposure to malicious applications is reduced.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.001: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 ### Resources
 
@@ -502,6 +570,9 @@ A minimum of two users and a maximum of eight users SHALL be provisioned with th
 <!--Policy: MS.AAD.7.1v1; Criticality: SHALL -->
 - _Rationale:_  The Global Administrator role provides unfettered access to the tenant. Limiting the number of users with this level of access makes tenant compromise more challenging. Microsoft recommends fewer than five users in the Global Administrator role. However, additional user accounts, up to eight, may be necessary to support emergency access and some operational scenarios.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.7.2v1
 Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.
@@ -509,6 +580,12 @@ Privileged users SHALL be provisioned with finer-grained roles instead of Global
 <!--Policy: MS.AAD.7.2v1; Criticality: SHALL -->
 - _Rationale:_ Many privileged administrative users do not need unfettered access to the tenant to perform their duties. By assigning them to roles based on least privilege, the risks associated with having their accounts compromised are reduced.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+  - [T1651: Cloud Administration Command](https://attack.mitre.org/techniques/T1651/)
+  - [T1136: Create Account](https://attack.mitre.org/techniques/T1136/)
+    - [T1136.003: Cloud Account](https://attack.mitre.org/techniques/T1136/003/)
 
 #### MS.AAD.7.3v1
 Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.
@@ -516,6 +593,9 @@ Privileged users SHALL be provisioned cloud-only accounts separate from an on-pr
 <!--Policy: MS.AAD.7.3v1; Criticality: SHALL -->
 - _Rationale:_ By provisioning cloud-only Azure AD user accounts to privileged users, the risks associated with a compromise of on-premises federation infrastructure are reduced. It is more challenging for the adversary to pivot from the compromised environment to the cloud with privileged access.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1556: Modify Authentication Process](https://attack.mitre.org/techniques/T1556/)
+    - [T1556.007: Hybrid Identity](https://attack.mitre.org/techniques/T1556/007/)
 
 #### MS.AAD.7.4v1
 Permanent active role assignments SHALL NOT be allowed for highly privileged roles.
@@ -526,6 +606,9 @@ Permanent active role assignments SHALL NOT be allowed for highly privileged rol
 - _Note:_ Exceptions to this policy are:
   - Emergency access accounts that need perpetual access to the tenant in the rare event of system degradation or other scenarios.
   - Some types of service accounts that require a user account with privileged roles; since these accounts are used by software programs, they cannot perform role activation.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.7.5v1
 Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.
@@ -533,6 +616,8 @@ Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM s
 <!--Policy: MS.AAD.7.5v1; Criticality: SHALL -->
 - _Rationale:_ Provisioning users to privileged roles within a PAM system enables enforcement of numerous privileged access policies and monitoring. If privileged users are assigned directly to roles in the M365 admin center or via PowerShell outside of the context of a PAM system, a significant set of critical security capabilities are bypassed.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1651: Cloud Administration Command](https://attack.mitre.org/techniques/T1651/)
 
 #### MS.AAD.7.6v1
 Activation of the Global Administrator role SHALL require approval.
@@ -540,6 +625,9 @@ Activation of the Global Administrator role SHALL require approval.
 <!--Policy: MS.AAD.7.6v1; Criticality: SHALL -->
 - _Rationale:_ Requiring approval for a user to activate Global Administrator, which provides unfettered access, makes it more challenging for an attacker to compromise the tenant with stolen credentials and it provides visibility of activities indicating a compromise is taking place.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.7.7v1
 Eligible and Active highly privileged role assignments SHALL trigger an alert.
@@ -547,6 +635,9 @@ Eligible and Active highly privileged role assignments SHALL trigger an alert.
 <!--Policy: MS.AAD.7.7v1; Criticality: SHALL -->
 - _Rationale:_ Closely monitor assignment of the highest privileged roles for signs of compromise. Send assignment alerts to enable the security monitoring team to detect compromise attempts.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.7.8v1
 User activation of the Global Administrator role SHALL trigger an alert.
@@ -555,6 +646,9 @@ User activation of the Global Administrator role SHALL trigger an alert.
 - _Rationale:_ Closely monitor activation of the Global Administrator role for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts.
 - _Last modified:_ June 2023
 - _Note:_ It is recommended to prioritize user activation of Global Administrator as one of the most important events to monitor and respond to.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.7.9v1
 User activation of other highly privileged roles SHOULD trigger an alert.
@@ -562,6 +656,12 @@ User activation of other highly privileged roles SHOULD trigger an alert.
 <!--Policy: MS.AAD.7.9v1; Criticality: SHOULD -->
 - _Rationale:_ Closely monitor activation of high-risk roles for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts. In some environments, activating privileged roles can generate a significant number of alerts.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
+  - [T1136: Create Account](https://attack.mitre.org/techniques/T1136/)
+    - [T1136.003: Cloud Account](https://attack.mitre.org/techniques/T1136/003/)
+
 
 ### Resources
 
@@ -715,6 +815,11 @@ Guest users SHOULD have limited or restricted access to Azure AD directory objec
 <!--Policy: MS.AAD.8.1v1; Criticality: SHOULD -->
 - _Rationale:_ Limiting the amount of object information available to guest users in the tenant, reduces malicious reconnaissance exposure, should a guest account become compromised or be created by an adversary.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1087: Account Discovery](https://attack.mitre.org/techniques/T1087/)
+    - [T1087.003: Email Account](https://attack.mitre.org/techniques/T1087/003/)
+    - [T1087.004: Cloud Account](https://attack.mitre.org/techniques/T1087/004/)
+  - [T1526: Cloud Service Discovery](https://attack.mitre.org/techniques/T1526/)
 
 #### MS.AAD.8.2v1
 Only users with the Guest Inviter role SHOULD be able to invite guest users.
@@ -722,6 +827,9 @@ Only users with the Guest Inviter role SHOULD be able to invite guest users.
 <!--Policy: MS.AAD.8.2v1; Criticality: SHOULD -->
 - _Rationale:_ By only allowing an authorized group of individuals to invite external users to create accounts in the tenant, an agency can enforce a guest user account approval process, reducing the risk of unauthorized account creation.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 #### MS.AAD.8.3v1
 Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.
@@ -729,6 +837,9 @@ Guest invites SHOULD only be allowed to specific external domains that have been
 <!--Policy: MS.AAD.8.3v1; Criticality: SHOULD -->
 - _Rationale:_ Limiting which domains can be invited to create guest accounts in the tenant helps reduce the risk of users from unauthorized external organizations getting access.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.001: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
 
 ### Resources
 
diff --git a/PowerShell/ScubaGear/baselines/defender.md b/PowerShell/ScubaGear/baselines/defender.md
index c5c78cebfd..2de6b3338f 100644
--- a/PowerShell/ScubaGear/baselines/defender.md
+++ b/PowerShell/ScubaGear/baselines/defender.md
@@ -78,6 +78,12 @@ The standard and strict preset security policies SHALL be enabled.
 <!--Policy: MS.DEFENDER.1.1v1; Criticality: SHALL -->
 - _Rationale:_ Defender includes a large number of features and settings to protect users against threats. Using the preset security policies, administrators can help ensure all new and existing users automatically have secure defaults applied.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+    - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
+
 
 #### MS.DEFENDER.1.2v1
 All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy.
@@ -89,6 +95,11 @@ All users SHALL be added to Exchange Online Protection in either the standard or
   - The standard and strict preset security policies must be enabled as directed
     by [MS.DEFENDER.1.1v1](#msdefender11v1) for protections to be applied.
   - Specific user accounts, except for sensitive accounts, MAY be exempt from the preset policies, provided they are added to one or more custom policies offering comparable protection. These users might need flexibility not offered by the preset policies. Their accounts should be added to a custom policy conforming, as closely as possible to the settings used by the preset policies. See the **Resources** section for more details on configuring policies.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+    - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
 
 #### MS.DEFENDER.1.3v1
 All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.
@@ -100,6 +111,11 @@ All users SHALL be added to Defender for Office 365 protection in either the sta
   - The standard and strict preset security policies must be enabled as directed
     by [MS.DEFENDER.1.1v1](#msdefender11v1) for protections to be applied.
   - Specific user accounts, except for sensitive accounts, MAY be exempt from the preset policies, provided they are added to one or more custom policies offering comparable protection. These users might need flexibility not offered by the preset policies. Their accounts should be added to a custom policy conforming as closely as possible to the settings used by the preset policies. See the **Resources** section for more details on configuring policies.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+    - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
 
 #### MS.DEFENDER.1.4v1
 Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.
@@ -109,6 +125,10 @@ Sensitive accounts SHALL be added to Exchange Online Protection in the strict pr
 - _Last modified:_ June 2023
 - _Note:_ The strict preset security policy must be enabled to protect
           sensitive accounts.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 #### MS.DEFENDER.1.5v1
 Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.
@@ -118,6 +138,10 @@ Sensitive accounts SHALL be added to Defender for Office 365 protection in the s
 - _Last modified:_ June 2023
 - _Note:_ The strict preset security policy must be enabled to protect
           sensitive accounts.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 ### Resources
 
@@ -226,6 +250,11 @@ User impersonation protection SHOULD be enabled for sensitive accounts in both t
 - _Last modified:_ June 2023
 - _Note:_ The standard and strict preset security policies must be enabled to
           protect accounts.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 #### MS.DEFENDER.2.2v1
 Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.
@@ -235,6 +264,11 @@ Domain impersonation protection SHOULD be enabled for domains owned by the agenc
 - _Last modified:_ June 2023
 - _Note:_ The standard and strict preset security policies must be enabled to
           protect agency domains.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 #### MS.DEFENDER.2.3v1
 Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.
@@ -244,6 +278,11 @@ Domain impersonation protection SHOULD be added for important partners in both t
 - _Last modified:_ June 2023
 - _Note:_ The standard and strict preset security policies must be enabled to
           protect partner domains.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 ### Resources
 
@@ -331,6 +370,12 @@ Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams
 <!--Policy: MS.DEFENDER.3.1v1; Criticality: SHOULD -->
 - _Rationale:_ Clicking malicious links makes users vulnerable to attacks, and this danger is not limited to links in emails. Other Microsoft products, such as Microsoft Teams, can be used to present users with malicious links. As such, it is important to protect users on these other Microsoft products as well.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+  - [T1204.001: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
+    - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
 
 ### Resources
 
@@ -391,6 +436,10 @@ A custom policy SHALL be configured to protect PII and sensitive information, as
                provide a way for agencies to detect and prevent
                unauthorized disclosures.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
 
 #### MS.DEFENDER.4.2v1
 The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.
@@ -402,6 +451,12 @@ The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams cha
 - _Last modified:_ June 2023
 - _Note:_ The custom policy referenced here is the same policy
           configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213.002/)
+
 #### MS.DEFENDER.4.3v1
 The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.
 
@@ -412,6 +467,10 @@ The action for the custom policy SHOULD be set to block sharing sensitive inform
 - _Last modified:_ June 2023
 - _Note:_ The custom policy referenced here is the same policy
           configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
 
 #### MS.DEFENDER.4.4v1
 Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.
@@ -425,6 +484,7 @@ Notifications to inform users and help educate them on the proper use of sensiti
 - _Note:_ The custom policy referenced here is the same policy
           configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
 
+
 #### MS.DEFENDER.4.5v1
 A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined.
 
@@ -435,6 +495,10 @@ A list of apps that are restricted from accessing files protected by DLP policy
                possible to use DLP policies to restrict those apps' access
                to sensitive information on endpoints using Defender.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+  - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 #### MS.DEFENDER.4.6v1
 The custom policy SHOULD include an action to block access to sensitive
@@ -454,6 +518,11 @@ information by restricted apps and unwanted Bluetooth applications.
   - This action can only be included if at least one device is onboarded
     to the agency tenant. Otherwise, the option to block restricted apps will
     not be available.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+  - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1486: Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/)
 
 ### Resources
 
@@ -644,6 +713,9 @@ At a minimum, the alerts required by the CISA M365 Security Configuration Baseli
 <!--Policy: MS.DEFENDER.5.1v1; Criticality: SHALL -->
 - _Rationale:_ Potentially malicious or service-impacting events may go undetected without a means of detecting these events. Setting up a mechanism to alert administrators to the list of events linked above draws attention to them to minimize any impact to users and the agency.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
 
 #### MS.DEFENDER.5.2v1
 The alerts SHOULD be sent to a monitored address or incorporated into a SIEM.
@@ -651,6 +723,9 @@ The alerts SHOULD be sent to a monitored address or incorporated into a SIEM.
 <!--Policy: MS.DEFENDER.5.2v1; Criticality: SHOULD -->
 - _Rationale:_ Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or Security Information and Event Management (SIEM) system helps ensure events are acted upon in a timely manner to limit overall impact.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
 
 ### Resources
 
@@ -730,6 +805,10 @@ Microsoft Purview Audit (Standard) logging SHALL be enabled.
 <!--Policy: MS.DEFENDER.6.1v1; Criticality: SHALL -->
 - _Rationale:_ Responding to incidents without detailed information about activities that took place slows response actions. Enabling Microsoft Purview Audit (Standard) helps ensure agencies have visibility into user actions. Furthermore, enabling the unified audit log is required for government agencies by OMB M-21-31 (referred to therein by its former name, Unified Audit Logs).
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
+
 
 #### MS.DEFENDER.6.2v1
 Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users.
@@ -743,6 +822,8 @@ Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users.
           Audit (Standard) subscribers. After rollout of changes are complete,
           Purview (Standard) may be sufficient for agencies to meet basic
           logging requirements.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1070: Indicator Removal](https://attack.mitre.org/techniques/T1070/)
 
 #### MS.DEFENDER.6.3v1
 Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.
@@ -756,6 +837,9 @@ Audit logs SHALL be maintained for at least the minimum duration dictated by OMB
           Additional record types require custom audit retention policies.
           Agencies may also consider alternate storage locations and services
           to meet audit log retention needs.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1070: Indicator Removal](https://attack.mitre.org/techniques/T1070/)
+
 
 ### Resources
 
diff --git a/PowerShell/ScubaGear/baselines/exo.md b/PowerShell/ScubaGear/baselines/exo.md
index 3bc69e7426..4a54228eae 100644
--- a/PowerShell/ScubaGear/baselines/exo.md
+++ b/PowerShell/ScubaGear/baselines/exo.md
@@ -69,6 +69,11 @@ external domains prevents this technique when the adversary is
 external to the organization but does not impede legitimate
 internal forwarding.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
 ### Resources
 
@@ -127,6 +132,10 @@ An SPF policy SHALL be published for each domain, designating only these address
 of an email such that it appears to be a legitimate email sent by an
 agency, facilitating phishing attacks. Publishing an SPF policy for each agency domain mitigates forged `FROM` fields by providing a means for recipients to detect emails spoofed in this way.  SPF is required for FCEB departments and agencies by Binding Operational Directive (BOD) 18-01, "Enhance Email and Web Security".
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+
 
 ### Resources
 
@@ -197,6 +206,10 @@ of an email such that it appears to be a legitimate email sent by an
 agency, facilitating phishing attacks. Enabling DKIM is another means for
 recipients to detect spoofed emails and verify the integrity of email content.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
 
 ### Resources
 
@@ -245,6 +258,10 @@ may improperly handle SPF and DKIM failures, possibly enabling spoofed
 emails to reach end users' mailboxes. Publishing DMARC records at the
 second-level domain protects the second-level domains and all subdomains.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
 
 #### MS.EXO.4.2v1
 The DMARC message rejection option SHALL be p=reject.
@@ -254,6 +271,10 @@ The DMARC message rejection option SHALL be p=reject.
 reject provides the strongest protection. Reject is the level of protection
 required by BOD 18-01 for FCEB departments and agencies.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
 
 #### MS.EXO.4.3v1
 The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`.
@@ -265,6 +286,8 @@ Including <reports@dmarc.cyber.dhs.gov> as a point of contact for these reports
 - _Last modified:_ June 2023
 - _Note:_ Only federal, executive branch, departments and agencies should
           include this email address in their DMARC record.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
 
 #### MS.EXO.4.4v1
 An agency point of contact SHOULD be included for aggregate and failure reports.
@@ -275,6 +298,8 @@ owners. DMARC provides a mechanism to receive reports of spoofing attempts.
 Including an agency point of contact gives the agency insight into attempts
 to spoof their domains.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
 
 ### Resources
 
@@ -396,6 +421,10 @@ Contact folders SHALL NOT be shared with all domains.
 for specific legitimate use as needed.
 - _Last modified:_ June 2023
 - _Note:_ Contact folders MAY be shared with specific domains.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+
 
 #### MS.EXO.6.2v1
 Calendar details SHALL NOT be shared with all domains.
@@ -405,6 +434,9 @@ Calendar details SHALL NOT be shared with all domains.
 for legitimate use as needed.
 - _Last modified:_ June 2023
 - _Note:_ Calendar details MAY be shared with specific domains.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
 
 ### Resources
 
@@ -535,6 +567,11 @@ A DLP solution SHALL be used.
 <!--Policy: MS.EXO.8.1v2; Criticality: SHALL -->
 - _Rationale:_ Users may inadvertently disclose sensitive information to unauthorized individuals. A DLP solution may detect the presence of sensitive information in Exchange Online and block access to unauthorized entities.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+
 
 #### MS.EXO.8.2v2
 The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.
@@ -542,6 +579,13 @@ The DLP solution SHALL protect personally identifiable information (PII) and sen
 <!--Policy: MS.EXO.8.2v2; Criticality: SHALL -->
 - _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+
 
 #### MS.EXO.8.3v1
 The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.
@@ -549,6 +593,11 @@ The selected DLP solution SHOULD offer services comparable to the native DLP sol
 <!--Policy: MS.EXO.8.3v1; Criticality: SHOULD -->
 - _Rationale:_ Any alternative DLP solution should be able to detect sensitive information in Exchange Online and block access to unauthorized entities.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+
 
 #### MS.EXO.8.4v1
 At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.
@@ -556,6 +605,13 @@ At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S.
 <!--Policy: MS.EXO.8.4v1; Criticality: SHALL -->
 - _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+
 
 ### Resources
 
@@ -568,6 +624,7 @@ At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S.
 ### Implementation
 
 #### MS.EXO.8.1v2 Instructions
+
 Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance.
 
 #### MS.EXO.8.2v2 Instructions
@@ -576,6 +633,7 @@ Any product meeting the requirements outlined in this baseline policy may be use
 #### MS.EXO.8.3v1 Instructions
 Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [DLP](./defender.md#implementation-3) for additional guidance.
 
+
 #### MS.EXO.8.4v1 Instructions
 Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for [protecting PII](./defender.md#msdefender41v1-instructions) for additional guidance.
 
@@ -607,6 +665,9 @@ than email; the dangers of allowing them to be sent over email outweigh
 any potential benefits. Filtering email attachments based on file types can
 prevent spread of malware distributed via click-to-run email attachments.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
 #### MS.EXO.9.2v1
 The attachment filter SHOULD attempt to determine the true file type and assess the file extension.
@@ -614,6 +675,11 @@ The attachment filter SHOULD attempt to determine the true file type and assess
 <!--Policy: MS.EXO.9.2v1; Criticality: SHOULD -->
 - _Rationale:_ Users can change a file extension at the end of a file name (e.g., notepad.exe to notepad.txt) to obscure the actual file type. Verifying the file type and checking that this matches the designated file extension can help detect instances where the file extension was changed.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1036: Masquerading](https://attack.mitre.org/techniques/T1036/)
+    - [T1036.006: Space after Filename](https://attack.mitre.org/techniques/T1036/006/)
+    - [T1036.007: Double File Extension](https://attack.mitre.org/techniques/T1036/007/)
+    - [T1036.008: Masquerade File Type](https://attack.mitre.org/techniques/T1036/008/)
 
 #### MS.EXO.9.3v2
 Disallowed file types SHALL be determined and enforced.
@@ -624,6 +690,10 @@ though other file types can contain malicious content as well. As such,
 determining the full list of file types to block is left to each
 organization, to be made in accordance with their risk tolerance.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+
 
 #### MS.EXO.9.4v1
 Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter.
@@ -635,6 +705,10 @@ than email; the dangers of allowing them to be sent over email outweigh
 any potential benefits. Filtering email attachments based on file types can
 prevent spread of malware distributed via click-to-run email attachments.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+
 
 #### MS.EXO.9.5v1
 At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
@@ -643,6 +717,10 @@ At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
 - _Rationale:_ Malicious attachments often take the form of click-to-run files.
 Blocking a list of common executable files helps mitigate the risk of adversarial exploitation.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+
 
 ### Resources
 
@@ -689,6 +767,7 @@ implementation steps for
 [enabling preset security policies](./defender.md#implementation), which
 disallow click-to-run file types.
 
+
 ## 10. Malware Scanning
 
 Email messages may include attachments that contain malware. Therefore, email
@@ -718,6 +797,9 @@ Emails SHALL be scanned for malware.
 In many cases, malware can be detected through scanning, reducing
 the risk for end users.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
 #### MS.EXO.10.2v1
 Emails identified as containing malware SHALL be quarantined or dropped.
@@ -727,6 +809,8 @@ Emails identified as containing malware SHALL be quarantined or dropped.
 Preventing emails with known malware from reaching user mailboxes helps ensure
 users cannot interact with those emails.
 - _Last modified:_ June 2023
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
 #### MS.EXO.10.3v1
 Email scanning SHALL be capable of reviewing emails after delivery.
@@ -734,6 +818,9 @@ Email scanning SHALL be capable of reviewing emails after delivery.
 <!--Policy: MS.EXO.10.3v1; Criticality: SHALL -->
 - _Rationale:_ As known malware signatures are updated, it is possible for an email to be retroactively identified as containing malware after delivery. By scanning emails, the number of malware-infected in users' mailboxes can be reduced.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
 ### Resources
 
@@ -806,6 +893,9 @@ if the `FROM` address is nearly indistinguishable from that of a known entity.
 By automatically identifying senders who appear to be impersonating known
 senders, the risk of a successful phishing attempt can be reduced.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 #### MS.EXO.11.2v1
 User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.
@@ -816,6 +906,9 @@ unusual characters in the `FROM` address or identifying a first-time sender.
 User warnings can handle these tasks, reducing the burden on end users and the risk of
 successful phishing attempts.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 #### MS.EXO.11.3v1
 The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.
@@ -823,6 +916,9 @@ The phishing protection solution SHOULD include an AI-based phishing detection t
 <!--Policy: MS.EXO.11.3v1; Criticality: SHOULD -->
 - _Rationale:_ Phishing attacks can result in unauthorized data disclosure and unauthorized access. Using AI-based phishing detection tools to improve the detection rate of phishing attempts helps reduce the risk of successful phishing attacks.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 ### Resources
 
@@ -968,7 +1064,18 @@ Mailbox auditing SHALL be enabled.
 <!--Policy: MS.EXO.13.1v1; Criticality: SHALL -->
 - _Rationale:_ Exchange Online user accounts can be compromised or misused. Enabling mailbox auditing provides a valuable source of information to detect and respond to mailbox misuse.
 - _Last modified:_ June 2023
-
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1070: Indicator Removal](https://attack.mitre.org/techniques/T1070/)
+    - [T1070.008: Clear Mailbox Data](https://attack.mitre.org/techniques/T1070/008/)
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.002: Additional Email Delegate Permissions](https://attack.mitre.org/techniques/T1098/002/)
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
+  - [T1586: Compromise Accounts](https://attack.mitre.org/techniques/T1586/)
+    - [T1586.002: Email Accounts](https://attack.mitre.org/techniques/T1586/002/)
+  - [T1564: Hide Artifacts](https://attack.mitre.org/techniques/T1564/)
+  - [T1564.008: Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008/)
+    
 ### Resources
 
 - [Manage mailbox auditing in Office 365 \| Microsoft
@@ -1033,6 +1140,9 @@ A spam filter SHALL be enabled.
 <!--Policy: MS.EXO.14.1v2; Criticality: SHALL -->
 - _Rationale:_ Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.
 - _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+
 
 #### MS.EXO.14.2v1
 Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.
@@ -1041,6 +1151,8 @@ Spam and high confidence spam SHALL be moved to either the junk email folder or
 - _Rationale:_ Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments.
 Moving spam messages to a separate junk or quarantine folder helps users filter out spam while still giving them the ability to review messages, as needed, in case a message is filtered incorrectly.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
 
 #### MS.EXO.14.3v1
 Allowed domains SHALL NOT be added to inbound anti-spam protection policies.
@@ -1053,6 +1165,17 @@ a common domain like office.com, however, provides for a large number of
 potentially unknown users to bypass spam protections.
 - _Last modified:_ June 2023
 - _Note:_ Allowed senders MAY be added.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+
+#### MS.EXO.14.4v1
+If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.
+
+<!--Policy: MS.EXO.14.4v1; Criticality: SHOULD -->
+- _Rationale:_ Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.
+- _Last modified:_ May 2024
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
 
 #### MS.EXO.14.4v1
 If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.
@@ -1141,6 +1264,9 @@ URL comparison with a block-list SHOULD be enabled.
 <!--Policy: MS.EXO.15.1v1; Criticality: SHOULD -->
 - _Rationale:_ Users may be directed to malicious websites via links in email. Blocking access to known, malicious URLs can prevent users from accessing known malicious websites.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 #### MS.EXO.15.2v1
 Direct download links SHOULD be scanned for malware.
@@ -1150,6 +1276,9 @@ Direct download links SHOULD be scanned for malware.
 Scanning direct download links in real-time for known malware and blocking access can prevent
 users from infecting their devices.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 #### MS.EXO.15.3v1
 User click tracking SHOULD be enabled.
@@ -1157,6 +1286,9 @@ User click tracking SHOULD be enabled.
 <!--Policy: MS.EXO.15.3v1; Criticality: SHOULD -->
 - _Rationale:_ Users may click on malicious links in emails, leading to compromise or unauthorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 ### Resources
 
@@ -1236,6 +1368,14 @@ At a minimum, the following alerts SHALL be enabled:
   to alert administrators to events listed above draws attention to them
   to help minimize impact to users and the agency.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
 
 #### MS.EXO.16.2v1
 The alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.
@@ -1247,6 +1387,9 @@ The alerts SHOULD be sent to a monitored address or incorporated into a security
   malicious events are acted upon in a timely manner to limit overall
   impact.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
 
 ### Resources
 
@@ -1313,6 +1456,9 @@ actions. Furthermore, Microsoft Purview Audit (Standard) is required for
 government agencies by OMB M-21-31 (referred to therein by its former
 name, Unified Audit Logs).
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
 
 #### MS.EXO.17.2v1
 Microsoft Purview Audit (Premium) logging SHALL be enabled.
@@ -1329,6 +1475,9 @@ Furthermore, it is required for government agencies by OMB M-21-13 (referred to
           Audit (Standard) subscribers. After rollout of changes are complete,
           Purview (Standard) may be sufficient for agencies to meet basic
           logging requirements.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
 
 #### MS.EXO.17.3v1
 Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).
diff --git a/PowerShell/ScubaGear/baselines/powerbi.md b/PowerShell/ScubaGear/baselines/powerbi.md
index 78e75ec055..2b60cd2c9f 100644
--- a/PowerShell/ScubaGear/baselines/powerbi.md
+++ b/PowerShell/ScubaGear/baselines/powerbi.md
@@ -67,6 +67,8 @@ The Publish to Web feature SHOULD be disabled unless the agency mission requires
 <!--Policy: MS.POWERBI.1.1v1; Criticality: SHOULD -->
 - _Rationale:_ A publicly accessible web URL can be accessed by everyone, including malicious actors. This policy limits information available on the public web that is not specifically allowed to be published.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 ### Resources
 
@@ -103,6 +105,12 @@ Guest user access to the Power BI tenant SHOULD be disabled unless the agency mi
 <!--Policy: MS.POWERBI.2.1v1; Criticality: SHOULD -->
 - _Rationale:_ Disabling external access to Power BI helps keep guest users from accessing potentially risky data and application programming interfaces (APIs). If an agency needs to allow guest access, this can be limited to users in specific security groups to curb risk.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+    - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.001: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
 
 ### Resources
 
@@ -158,6 +166,13 @@ The Invite external users to your organization feature SHOULD be disabled unless
 - _Last modified:_ June 2023
 > Note:
 > If this feature is disabled, existing guest users in the tenant continue to have access to Power BI items they already had access to and continue to be listed in user picker experiences. After it is disabled, an external user who is not already a guest user cannot be added to the tenant through Power BI.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+    - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.001: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
+  - [T1199: Trusted Relationship](https://attack.mitre.org/techniques/T1199/)
 
 ### Resources
 
@@ -219,6 +234,9 @@ Service principals with access to APIs SHOULD be restricted to specific security
 <!--Policy: MS.POWERBI.4.1v1; Criticality: SHOULD -->
 - _Rationale:_ With unrestricted service principals, unwanted access to APIs is possible. Allowing service principals through security groups, and only where necessary, mitigates this risk.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
+    - [T1059.009: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
 
 #### MS.POWERBI.4.2v1
 Service principals creating and using profiles SHOULD be restricted to specific security groups.
@@ -226,6 +244,9 @@ Service principals creating and using profiles SHOULD be restricted to specific
 <!--Policy: MS.POWERBI.4.2v1; Criticality: SHOULD -->
 - _Rationale:_ With unrestricted service principals creating/using profiles, there is risk of an unauthorized user using a profile with more permissions than they have. Allowing service principals through security groups will mitigate that risk.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/)
+    - [T1098.003: Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003/)
 
 ### Resources
 
@@ -301,6 +322,11 @@ ResourceKey-based authentication SHOULD be blocked unless a specific use case (e
 <!--Policy: MS.POWERBI.5.1v1; Criticality: SHOULD -->
 - _Rationale:_ If resource keys are allowed, someone can move data without Azure AD OAuth bearer token, causing possibly malicious or junk data to be stored. Disabling resource keys reduces risk that an unauthorized individual will make changes.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1134: Access Token Manipulation](https://attack.mitre.org/techniques/T1134/)
+    - [T1134.001: Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001/)
+    - [T1134.003: Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003/)
+
 
 ### Resources
 
@@ -344,6 +370,11 @@ Python and R interactions SHOULD be disabled.
 <!--Policy: MS.POWERBI.6.1v1; Criticality: SHOULD -->
 - _Rationale:_ External code poses a security and privacy risk as there is no good way to regulate what is done with the data or integrations. Disabling this will reduce the risk of a data leak or malicious actor.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
+    - [T1059.009: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
 
 ### Resources
 
@@ -389,6 +420,13 @@ Sensitivity labels SHOULD be enabled for Power BI and employed for sensitive dat
 <!--Policy: MS.POWERBI.7.1v1; Criticality: SHOULD -->
 - _Rationale:_ A document without sensitivity labels may be opened unknowingly, potentially exposing data to someone who is not supposed to have access to it. This policy will help organize and classify data, making it easier to keep data out of the wrong hands.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+
 ### Resources
 
 - [Enable sensitivity labels in Power BI \| Microsoft
diff --git a/PowerShell/ScubaGear/baselines/powerplatform.md b/PowerShell/ScubaGear/baselines/powerplatform.md
index 76d721e5aa..6f4d76c685 100644
--- a/PowerShell/ScubaGear/baselines/powerplatform.md
+++ b/PowerShell/ScubaGear/baselines/powerplatform.md
@@ -83,6 +83,9 @@ The ability to create production and sandbox environments SHALL be restricted to
 - _Rationale:_ Users creating new Power Platform environments may inadvertently bypass data loss prevention (DLP) policy settings or misconfigure the security settings of their environment.
 - _Last Modified:_ June 2023
 - Note: This control restricts creating environments to users with Global admin, Dynamics 365 service admin, Power Platform service admins, or Delegated admin roles.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
 
 #### MS.POWERPLATFORM.1.2v1
 The ability to create trial environments SHALL be restricted to admins.
@@ -164,6 +167,9 @@ A DLP policy SHALL be created to restrict connector access in the default Power
 - _Rationale:_ All users in the tenant have access to the default Power Platform environment. Those users may inadvertently use connectors that share sensitive information with others who should not have access to it. Users requiring Power Apps should be directed to conduct development in other Power Platform environments with DLP connector policies customized to suit the user's needs while also maintaining the agency's security posture.
 - _Last Modified:_ June 2023
 - _Note:_ The following connectors drive core Power Platform functionality and enable core Office customization scenarios: Approvals, Dynamics 365 Customer Voice, Excel Online (Business), Microsoft DataverseMicrosoft Dataverse (legacy), Microsoft Teams, Microsoft To-Do (Business), Office 365 Groups, Office 365 Outlook, Office 365 Users, OneDrive for Business, OneNote (Business), Planner, Power Apps Notification, Power BI, SharePoint, Shifts for Microsoft Teams, and Yammer. As such these connectors remain non-blockable to maintain core user scenario functions.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
 
 #### MS.POWERPLATFORM.2.2v1
 Non-default environments SHOULD have at least one DLP policy affecting them.
@@ -171,6 +177,9 @@ Non-default environments SHOULD have at least one DLP policy affecting them.
 <!--Policy: MS.POWERPLATFORM.2.2v1; Criticality: SHOULD -->
 - _Rationale:_ Users may inadvertently use connectors that share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.
 - _Last Modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
 
 ### Resources
 
@@ -258,6 +267,10 @@ Power Platform tenant isolation SHALL be enabled.
 <!--Policy: MS.POWERPLATFORM.3.1v1; Criticality: SHALL -->
 - _Rationale:_ Provides an additional tenant isolation control on top of Azure AD tenant isolation specifically for Power Platform applications to prevent accidental or malicious cross tenant information sharing.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+  - [T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)
 
 #### MS.POWERPLATFORM.3.2v1
 An inbound/outbound connection allowlist SHOULD be configured.
@@ -314,6 +327,8 @@ Content Security Policy SHALL be enforced for model-driven and canvas Power Apps
 <!--Policy: MS.POWERPLATFORM.4.1v1; Criticality: SHALL -->
 - _Rationale:_ Adds CSP as a defense mechanism for Power Apps against common website attacks.
 - _Last Modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)
 
 ### Resources
 
@@ -354,6 +369,8 @@ The ability to create Power Pages sites SHOULD be restricted to admins.
 <!--Policy: MS.POWERPLATFORM.5.1v1; Criticality: SHOULD -->
 - _Rationale:_ Users may unintentionally misconfigure their Power Pages to expose sensitive information or leave the website in a vulnerable state.
 - _Last Modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)
 
 ### Resources
 - [Control Portal Creation \| Microsoft
diff --git a/PowerShell/ScubaGear/baselines/sharepoint.md b/PowerShell/ScubaGear/baselines/sharepoint.md
index bedf1bee66..095270867a 100644
--- a/PowerShell/ScubaGear/baselines/sharepoint.md
+++ b/PowerShell/ScubaGear/baselines/sharepoint.md
@@ -35,6 +35,10 @@ External sharing for SharePoint SHALL be limited to Existing guests or Only Peop
 <!--Policy: MS.SHAREPOINT.1.1v1; Criticality: SHALL -->
 - _Rationale:_ Sharing information outside the organization via SharePoint increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of access to information.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
 
 #### MS.SHAREPOINT.1.2v1
 External sharing for OneDrive SHALL be limited to Existing guests or Only People in your organization.
@@ -42,6 +46,11 @@ External sharing for OneDrive SHALL be limited to Existing guests or Only People
 <!--Policy: MS.SHAREPOINT.1.2v1; Criticality: SHALL -->
 - _Rationale:_ Sharing files outside the organization via OneDrive increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of unauthorized unauthorized access to information.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 #### MS.SHAREPOINT.1.3v1
 External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.
@@ -50,6 +59,11 @@ External sharing SHALL be restricted to approved external domains and/or users i
 - _Rationale:_ By limiting sharing to domains or approved security groups used for interagency collaboration purposes, administrators help prevent sharing with unknown organizations and individuals.
 - _Last modified:_ June 2023
 - _Note:_ This policy is only applicable if the external sharing slider on the admin page is set to any value other than **Only People in your organization**.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 #### MS.SHAREPOINT.1.4v1
 Guest access SHALL be limited to the email the invitation was sent to.
@@ -58,6 +72,11 @@ Guest access SHALL be limited to the email the invitation was sent to.
 - _Rationale:_ Email invitations allow external guests to access shared information. By requiring guests to sign in using the same account where the invite was sent, administrators help ensure only the intended guest can use the invite.
 - _Last modified:_ June 2023
 - _Note:_ This policy is only applicable if the external sharing slider on the admin page is set to any value other than **Only People in your organization**.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 ### Resources
 
@@ -140,6 +159,12 @@ File and folder default sharing scope SHALL be set to Specific people (only the
 <!--Policy: MS.SHAREPOINT.2.1v1; Criticality: SHALL -->
 - _Rationale:_ By making the default sharing the most restrictive, administrators prevent accidentally sharing information too broadly.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+    - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
 
 #### MS.SHAREPOINT.2.2v1
 File and folder default sharing permissions SHALL be set to View.
@@ -147,6 +172,10 @@ File and folder default sharing permissions SHALL be set to View.
 <!--Policy: MS.SHAREPOINT.2.2v1; Criticality: SHALL -->
 - _Rationale:_ Edit access to files and folders could allow a user to make unauthorized changes.  By restricting default permissions to **View**, administrators prevent unintended or malicious modification.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1080: Taint Shared Content](https://attack.mitre.org/techniques/T1080/)
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+    - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
 
 ### Resources
 
@@ -193,6 +222,11 @@ Expiration days for Anyone links SHALL be set to 30 days or less.
 - _Rationale:_ Links may be used to provide access to information for a short period of time. Without expiration, however, access is indefinite. By setting expiration timers for links, administrators prevent unintended sustained access to information.
 - _Last modified:_ June 2023
 - _Note:_ This policy is only applicable if the external sharing slider on the admin center sharing page is set to **Anyone**.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213/002/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 #### MS.SHAREPOINT.3.2v1
 The allowable file and folder permissions for links SHALL be set to View only.
@@ -201,6 +235,10 @@ The allowable file and folder permissions for links SHALL be set to View only.
 - _Rationale:_ Unauthorized changes to files can be made if permissions allow editing by anyone.  By restricting permissions on links to **View** only, administrators prevent anonymous file changes.
 - _Last modified:_ June 2023
 - _Note:_ This policy is only applicable if the external sharing slider on the admin center sharing page is set to **Anyone**.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1080: Taint Shared Content](https://attack.mitre.org/techniques/T1080/)
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+    - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
 
 #### MS.SHAREPOINT.3.3v1
 Reauthentication days for people who use a verification code SHALL be set to 30 days or less.
@@ -209,6 +247,10 @@ Reauthentication days for people who use a verification code SHALL be set to 30
 - _Rationale:_ A verification code may be given out to provide access to information for a short period of time. By setting expiration timers for verification code access, administrators prevent  unintended sustained access to information.
 - _Last modified:_ June 2023
 - _Note:_ This policy is only applicable if the external sharing slider on the admin center sharing page is set to **Anyone** or **New and existing guests**.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1080: Taint Shared Content](https://attack.mitre.org/techniques/T1080/)
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+    - [T1565.001: Stored Data Manipulation](https://attack.mitre.org/techniques/T1565/001/)
 
 ### License Requirements
 
@@ -277,6 +319,10 @@ Users SHALL be prevented from running custom scripts on personal sites (aka OneD
 <!--Policy: MS.SHAREPOINT.4.1v1; Criticality: SHALL -->
 - _Rationale:_ Scripts in OneDrive folders run in the context of user visiting the site and have access to everything users can access. By preventing custom scripts on personal sites, administrators block a path for potentially malicious code execution.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/)
+  - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
+    - [T1059.009: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
 
 #### MS.SHAREPOINT.4.2v1
 Users SHALL be prevented from running custom scripts on self-service created sites.
@@ -284,6 +330,9 @@ Users SHALL be prevented from running custom scripts on self-service created sit
 <!--Policy: MS.SHAREPOINT.4.2v1; Criticality: SHALL -->
 - _Rationale:_ Scripts on SharePoint sites run in the context of users visiting the site and therefore provide access to everything users can access. By preventing custom scripts on self-service created sites, administrators block a path for potentially malicious code execution.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
+    - [T1059.009: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
 
 ### Resources
 
diff --git a/PowerShell/ScubaGear/baselines/teams.md b/PowerShell/ScubaGear/baselines/teams.md
index da36a87b68..1771d7d2be 100644
--- a/PowerShell/ScubaGear/baselines/teams.md
+++ b/PowerShell/ScubaGear/baselines/teams.md
@@ -70,6 +70,9 @@ Anonymous users SHALL NOT be enabled to start meetings.
 - _Rationale:_ For agencies that implemented custom policies providing more flexibility to some users to automatically admit "everyone" to a meeting - this policy provides protection from anonymous users starting meeting to scrape internal contacts.
 - _Last modified:_ July 2023
 - _Note:_ This policy applies to the Global (Org-wide default) meeting policy, and custom meeting policies if they exist.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.001: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
 
 #### MS.TEAMS.1.3v1
 Anonymous users and dial-in callers SHOULD NOT be admitted automatically.
@@ -254,6 +257,10 @@ External access for users SHALL only be enabled on a per-domain basis.
 <!--Policy: MS.TEAMS.2.1v1; Criticality: SHALL -->
 - _Rationale:_ The default configuration allows members to communicate with all external users with similar access permissions. This unrestricted access can lead to data breaches and other security threats. This policy provides protection against threats posed by unrestricted access by allowing communication with only trusted domains.  
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1199: Trusted Relationship](https://attack.mitre.org/techniques/T1199/)
+  - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
 
 #### MS.TEAMS.2.2v1
 Unmanaged users SHALL NOT be enabled to initiate contact with internal users.
@@ -261,6 +268,9 @@ Unmanaged users SHALL NOT be enabled to initiate contact with internal users.
 <!--Policy: MS.TEAMS.2.2v1; Criticality: SHALL -->
 - _Rationale:_ Allowing contact from unmanaged users can expose users to email and contact address harvesting. This policy provides protection against this type of harvesting. 
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
 
 #### MS.TEAMS.2.3v1
 Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.
@@ -269,6 +279,9 @@ Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.
 - _Rationale:_ Contact with unmanaged users can pose the risk of data leakage and other security threats. This policy provides protection by disabling internal user access to unmanaged users.
 - _Last modified:_ July 2023
 - _Note:_ This policy is not applicable to Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) tenants.  
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
 
 ### Resources
 
@@ -356,6 +369,8 @@ Contact with Skype users SHALL be blocked.
 <!--Policy: MS.TEAMS.3.1v1; Criticality: SHALL -->
 - _Rationale:_ Microsoft is officially retiring all forms of Skype as listed above. Allowing contact with Skype users puts agency users at additional security risk.  By blocking contact with Skype users an agency limits access to security threats utilizing the vulnerabilities of the Skype product.
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
 
 ### Resources
 
@@ -393,6 +408,10 @@ Teams email integration SHALL be disabled.
 - _Rationale:_ Microsoft Teams email integration associates a Microsoft, not tenant domain, email address with a Teams channel. Channel emails are addressed using the Microsoft-owned domain <code>&lt;teams.ms&gt;</code>. By disabling Teams email integration, an agency prevents potentially sensitive Teams messages from being sent through external email gateways.  
 - _Last modified:_ July 2023
 - _Note:_ Teams email integration is not available in GCC, GCC High, or DoD regions.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
+    - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
 
 ### Resources
 
@@ -435,6 +454,8 @@ Agencies SHOULD only allow installation of Microsoft apps approved by the agency
 - _Rationale:_ Allowing Teams integration with all Microsoft apps can expose the agency to potential vulnerabilities present in those apps. By only allowing specific apps and blocking all others, the agency will better manage its app integration and potential exposure points.
 - _Last modified:_ July 2023
 - _Note:_ This policy applies to the Global (Org-wide default) policy, all custom policies, and the org-wide app settings. Custom policies MAY be created to allow more flexibility for specific users.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)
 
 #### MS.TEAMS.5.2v1
 Agencies SHOULD only allow installation of third-party apps approved by the agency.
@@ -443,6 +464,9 @@ Agencies SHOULD only allow installation of third-party apps approved by the agen
 - _Rationale:_ Allowing Teams integration with third-party apps can expose the agency to potential vulnerabilities present in an app not managed by the agency. By allowing only specific apps approved by the agency and blocking all others, the agency can limit its exposure to third-party app vulnerabilities.
 - _Last modified:_ July 2023
 - _Note:_ This policy applies to the Global (Org-wide default) policy, all custom policies if they exist, and the org-wide settings. Custom policies MAY be created to allow more flexibility for specific users. Third-party apps are not available in GCC, GCC High, or DoD regions.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)
+  - [T1528: Steal Application Access Token](https://attack.mitre.org/techniques/T1528/)
 
 #### MS.TEAMS.5.3v1
 Agencies SHOULD only allow installation of custom apps approved by the agency.
@@ -451,6 +475,9 @@ Agencies SHOULD only allow installation of custom apps approved by the agency.
 - _Rationale:_ Allowing custom apps integration can expose the agency to potential vulnerabilities present in an app not managed by the agency. By allowing only specific apps approved by the agency and blocking all others, the agency can limit its exposure to custom app vulnerabilities.
 - _Last modified:_ July 2023
 - _Note:_ This policy applies to the Global (Org-wide default) policy, all custom policies if they exist, and the org-wide settings. Custom policies MAY be created to allow more flexibility for specific users. Custom apps are not available in GCC, GCC High, or DoD regions.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)
+  - [T1528: Steal Application Access Token](https://attack.mitre.org/techniques/T1528/)
 
 ### Resources
 
@@ -554,6 +581,9 @@ A DLP solution SHALL be enabled. The selected DLP solution SHOULD offer services
 <!--Policy: MS.TEAMS.6.1v1; Criticality: SHALL -->
 - _Rationale:_ Teams users may inadvertently disclose sensitive information to unauthorized individuals. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 #### MS.TEAMS.6.2v1
 The DLP solution SHALL protect personally identifiable information (PII)
@@ -563,6 +593,9 @@ and Social Security numbers (SSNs) via email SHALL be restricted.
 <!--Policy: MS.TEAMS.6.2v1; Criticality: SHALL -->
 - _Rationale:_ Teams users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized sharing of sensitive information. 
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 ### Resources
 
@@ -604,6 +637,9 @@ Attachments included with Teams messages SHOULD be scanned for malware.
 <!--Policy: MS.TEAMS.7.1v1; Criticality: SHOULD -->
 - _Rationale:_ Teams can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
 #### MS.TEAMS.7.2v1
 Users SHOULD be prevented from opening or downloading files detected as malware.
@@ -611,6 +647,10 @@ Users SHOULD be prevented from opening or downloading files detected as malware.
 <!--Policy: MS.TEAMS.7.2v1; Criticality: SHOULD -->
 - _Rationale:_ Teams can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
+
 
 ### Resources
 
@@ -671,6 +711,13 @@ URL comparison with a blocklist SHOULD be enabled.
 <!--Policy: MS.TEAMS.8.1v1; Criticality: SHOULD -->
 - _Rationale:_ Users may be directed to malicious websites via links in Teams. Blocking access to known malicious URLs can help prevent users from accessing known malicious websites.
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
+    - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+  - [T1189: Drive-by Compromise](https://attack.mitre.org/techniques/T1189/)
 
 #### MS.TEAMS.8.2v1
 User click tracking SHOULD be enabled.
@@ -678,6 +725,13 @@ User click tracking SHOULD be enabled.
 <!--Policy: MS.TEAMS.8.2v1; Criticality: SHOULD -->
 - _Rationale:_ Users may click on malicious links in Teams, leading to compromise or authorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.
 - _Last modified:_ July 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
+    - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+  - [T1189: Drive-by Compromise](https://attack.mitre.org/techniques/T1189/)
 
 ### Resources
 
@@ -731,4 +785,4 @@ record meetings:
 
 8.  Select **Apply**.
 
-**`TLP:CLEAR`**
\ No newline at end of file
+**`TLP:CLEAR`**