Analytics Alerts
Browse the Cortex analytics alert reference.
145 alerts match the current filters. tactic: TA0002 ✕
Show ATT&CK heatmapRemote command execution via wmic.exe Low 1 variation
Remote command execution using the Windows Management Instrumentation command-line tool.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Windows Management Instrumentation (T1047)Required data: XDR AgentAttacker's goals: The attacker is expanding his reach into your network by executing commands on a remote endpoint.Investigative actions: Examine Alert Details > Overview to identify the source endpoint, process running the command execution, process owner, and execution destination.Variations
Remote command execution via wmic.exe
Medium overridden
Remote command execution using the Windows Management Instrumentation command-line tool. overridden
Remote service command execution from an uncommon source High
A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Remote service start from an uncommon source Low
A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Run downloaded script using pipe Informational 1 variation
Downloading a script using wget or curl and executing it using a pipe to a shell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to download a script using wget or curl.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Run downloaded script using pipe in a Kubernetes pod
Informational overridden
Downloading a script using wget or curl and executing it using a pipe to a shell. overridden
Scrcons.exe Rare Child Process Informational 1 variation
The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Windows Management Instrumentation (T1047) Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR AgentAttacker's goals: The attacker is trying to gain Persistence via WMI script registration.Investigative actions: Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it. Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get ".Variations
Scrcons.exe Rare Child Process
Medium overridden
The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker. overridden
Scripting engine connected to a rare external host Low 3 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.Variations
Scripting engine failed to connect to a rare external host
Informational overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Scripting engine with a modified image name connected to a rare external host
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN scripting engine connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Service execution via sc.exe Informational
Sc.exe has the ability to start services on local and remote hosts. An attacker may abuse it to execute malicious services on a host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Execute commands and run code on local or remote hosts.Investigative actions: Check whether the service that was created via sc.exe is benign and if this was a desired behavior as part of its normal execution flow.Signed process creates a scheduled task via file access Informational 1 variation
A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.Investigative actions: Check the created task file and look for the action triggered by the task.Variations
Signed process running from an untrusted directory creates a scheduled task via file access
Low overridden
A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden
Sudden spike in outbound email volume Informational Email 2 variations
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 2 Hours
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Sudden spike in outbound emails sent to external recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Sudden spike in outbound emails sent to internal recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Suspicious PowerShell Command Line Low
Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on the command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, the command line may be an administrative script.Suspicious SearchProtocolHost.exe parent process Medium
SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious activity indicating a potential abuse of a cloud-native email service Low Cloud 2 variations
A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: AWS Audit Log Azure Audit LogAttacker's goals: Adversaries may use cloud-based email services to send phishing or spread malware, abusing legitimate email domains.Investigative actions: Check if the identity intended to preform these actions or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Variations
Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery, weaponization, and impact
High overridden
A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.The behavior that was observed included discovery operations, attack preparation and actual email sending.These activities might indicate an intent to abuse the email service to send phishing or spam. overridden
Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery and weaponization
Medium overridden
A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.The behavior that was observed included discovery operations and attack weaponization.These activities might indicate an intent to abuse the email service to send phishing or spam. overridden
Suspicious cloud user data modification attempt followed by VM restart Low Cloud
Suspicious user data modification followed by VM restart, possibly an attempt to run altered startup scripts at boot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Cloud Administration Command (T1651)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Execute arbitrary code, establish persistence, or alter instance startup behavior through modified user data.Investigative actions: Review the identity who modified the instance user data. Inspect the user data script for malicious content.Suspicious container orchestration job Low
A suspicious orchestration job ran with a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 10 Minutes
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)Required data: XDR AgentAttacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.Investigative actions: Investigate The process activities and impact on the relevant container.Suspicious container runtime connection from within a Kubernetes Pod Informational 2 variations
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609) Deploy Container (T1610)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Escape from a container to the host machine and expand the foothold in the network.Investigative actions: Change the container socket configuration. Check if the default Docker daemon binding to TCP changed. If so, non-root users may gain access to the container.Variations
Suspicious container runtime connection from within a Kubernetes Pod using the curl client
Low overridden
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden
Suspicious container runtime connection from within a Kubernetes Pod using the docker client
Medium overridden
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden
Suspicious docker image download from an unusual repository Informational 2 variations
The agent has pulled a docker image from a repository for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution: Malicious Image (T1204.003)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Adversaries may rely on a user running a malicious image to facilitate execution.Investigative actions: Scan the docker image that was pulled. Check the repository designation. Check on which other agents the docker image is being used.Variations
Suspicious docker image download from an unrecognized registry
Low overridden
The agent has pulled a docker image from a registry that has never been used in the organization. overridden
Suspicious docker image download from an unrecognized repository
Low overridden
The agent has pulled a docker image from a repository that has never been used in the organization. overridden
Suspicious module load using direct syscall Low 1 variation
A module was loaded to a process using a direct syscall.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Native API (T1106)Required data: XDR AgentDetector tags: Direct Syscall AnalyticsAttacker's goals: An attacker might try to use direct syscalls to evade detection and load a malicious module to a legitimate program.Investigative actions: Investigate the direct syscall mapped image to verify if it is malicious. Investigate the loaded module to verify if it is malicious.Variations
A module was loaded to an unsigned process by using a direct syscall
Medium overridden
A module was loaded to an unsigned process using a direct syscall. overridden
Suspicious process execution in a privileged container Informational 1 variation
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.Variations
Suspicious process execution in a new privileged container
Informational overridden
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden
Suspicious process loads a known PowerShell module Informational 2 variations
A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 8 Hours
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.Variations
Suspicious unsigned process loads a known PowerShell module
Low overridden
A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary. overridden
Office process loads a known PowerShell DLL
High overridden
A Microsoft Office process loaded a known PowerShell module. This image load may be a sign of PowerShell execution without directly invoking the PowerShell.exe binary. overridden
Suspicious systemd timer activity Low
Suspicious systemd timer activity, which may indicate an attempt to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)Required data: XDR AgentAttacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.System profiling WMI query execution Informational
Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Information Discovery (T1082)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium
A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.Uncommon Linux remote shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux remote shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution using an exploitation tool
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution executing a reverse interactive shell
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution downloading a shell script
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution disabling firewall
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution possibly running from an XZ backdoor
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running as root
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution loading a kernel module
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a network tool
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution trying to gather information about the system
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution, possibly granting file execution permissions
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux shell command execution by a BAS solution
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution disabling firewall
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution using exploitation tool
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution trying to gather information about the system
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution loading a kernel module
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution, possibly granting file execution permissions
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution running a network tool
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution with su/sudo elevation
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution accessing history (e.g. bash history or login records)
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution from a scripting language interpreter
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution executed from within a web server
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Service Create/Config Medium
The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Evading security controls and possibly persisting malware.Investigative actions: Check whether the service created, or the configuration change to an existing service, is benign or normal for the host and/or user performing it.Uncommon URL domain(s) in your organization detected in email Informational Email 3 variations
We have identified unpopular domain(s) in URL(s) within this email.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
External email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Internal email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Outbound email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Uncommon cloud CLI tool usage Informational Cloud 4 variations
An uncommon execution of a cloud CLI tool.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: XDR AgentAttacker's goals: Abuse cloud APIs to execute malicious commands.Investigative actions: Check what cloud CLI commands were executed. Verify which cloud resources may have been affected.Variations
Uncommon cloud CLI tool usage within a web server pod
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a web server
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a cloud instance
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a Kubernetes pod
Informational overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon macOS shell command execution Informational 10 variations
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon macOS shell command execution by a BAS solution
High overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution running a curl / wget in an uncommon way
High overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution trying to gather information about the system
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution loading a kernel extension
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution, possibly granting file execution permissions
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution executed an AppleScript
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution from an unsigned process
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution of an exceedingly rare process
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon remote scheduled task creation Low 1 variation
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.Investigative actions: Investigate the initiator process and whether it should create remote tasks. Investigate the scheduled task execution on the remote machine.Variations
Uncommon remote scheduled task creation by a remote actor via RDP
High overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines. overridden
Uncommon remote service start via sc.exe Low
The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers can use the command to attempt to execute and persist a binary, command, or script.Investigative actions: Check whether the executed process is benign and if this was desired behavior as part of its normal execution flow. Check the remote host for any evidence of the executed service and investigate it.Unpopular domains detected in email URLs for a recipient Informational Email 1 variation
We have identified unpopular domain(s) within these email URLs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Highly unpopular URL domain(s) for mailbox detected in email
Informational overridden
We have identified unpopular domain(s) within these email URLs. overridden
Unsigned process creates a scheduled task via file access Low 1 variation
A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.Variations
Unsigned process creates a scheduled task via file access on a sensitive server
Medium overridden
A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden
Unusual AI model invocation Informational Cloud
A cloud identity invoked an AI model for the first time.MITRE ATLAS Technique: AML.T0050 - Command and Scripting Interpreter.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to AI models.Investigative actions: Examine which AI models were invoked. Investigate any unusual activity originating from the suspected identity.Unusual AWS CLI/SDK activity Informational Cloud
A cloud identity invoked an API using AWS CLI/SDK for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogAttacker's goals: Abuse cloud APIs to execute malicious commands.Investigative actions: Investigate any unusual activity originating from the suspected identity.Unusual AWS SageMaker notebook access Informational Cloud
A cloud identity accessed an AWS SageMaker notebook for the first time.MITRE ATLAS Technique: AML.T0008 - Acquire Infrastructure: AI Development Workspaces.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to AI/ML resources and services.Investigative actions: Examine which AWS SageMaker notebooks were accessed. Investigate any unusual activity originating from the suspected identity.Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation
Unusual Process Spawned by Nginx in Ingress-Nginx pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.Variations
Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload
High overridden
Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden
Unusual exec into a Kubernetes Pod Informational Cloud 5 variations
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Execute commands within the Kubernetes Pod. Access any resource the Kubernetes Pod has access to.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Failed exec attempt into a Kubernetes Pod
Informational overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
First time execution into Kubernetes Pod at the cluster-level
Medium overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into Kubernetes Pod for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into a Kubernetes namespace for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into a Kubernetes Pod for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Unusual process accessed the PowerShell history file Informational
An abnormal process accessed the PowerShell console history file.This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: An attacker is attempting to run PowerShell without powershell.exe to evade detection.Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation
Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.Variations
Usage of homograph characters detected in an email attachment(s) extension
Low overridden
Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden
User discovery via WMI query execution Informational 3 variations
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.Variations
User discovery via WMI query execution by an unsigned process
Low overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden
User modification via WMIC query execution
Low overridden
Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden
User discovery via WMIC query execution
Informational overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden
Windows CGO, actor and action processes with anomalous characteristics Informational 2 variations
Windows CGO, actor and action processes with anomalous characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentDetector tags: Process Anomaly AnalyticsAttacker's goals: Processes anomalous characteristics which commonly appear in malicious activities.Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the CGO and actor processes that executed the process and check if they are malicious.Variations
Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO
Low overridden
Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO. overridden
Windows CGO, actor and action processes with highly anomalous characteristics
Low overridden
Windows CGO, actor and action processes with anomalous characteristics. overridden
Windows CGO, actor process and action module with anomalous characteristics Informational 1 variation
Windows CGO, actor process and action module with anomalous characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Loading modules with anomalous characteristics that commonly appear in malicious activities.Investigative actions: Investigate the loaded image and check if it is malicious. Investigate the CGO process and actor process that loaded the module and check if they are malicious.Variations
Windows CGO, actor process and action module with very anomalous characteristics
Low overridden
Windows CGO, actor process and action module with anomalous characteristics. overridden
WmiPrvSe.exe Rare Child Command Line Low 1 variation
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.Variations
WmiPrvSe.exe Rare Child Command Line
Medium overridden
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden
Wsmprovhost.exe Rare Child Process Low
The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations
This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type
Informational overridden
X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden
Email identified by X-Forefront-Antispam-Report as a phishing attempt
Informational overridden
X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt
Informational overridden
X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as impersonating internal communication
Informational overridden
X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden
X-Forefront-Antispam-Report has strongly flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report has flagged this email as a bulk email
Informational overridden
X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden
X-Forefront-Antispam-Report has flagged an internal email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden
X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain
Informational overridden
This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden
X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques
Informational overridden
X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden