Analytics Alerts
Browse the Cortex analytics alert reference.
249 alerts match the current filters. tactic: TA0005 ✕
Show ATT&CK heatmapSuspicious activity on logging bucket Informational Cloud 1 variation
An identity performed a suspicious activity on bucket used to store logs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by tampering the logs.Investigative actions: Verify whether the identity attempted to access the bucket. Verify no logs were modified in the bucket.Variations
Suspicious deletion on CloudTrail logging bucket
Medium overridden
An identity performed a suspicious activity on bucket used to store CloudTrail logs. overridden
Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics
Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)Required data: AzureADAttacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.Investigative actions: Follow further actions done by the account.Suspicious certutil command line Medium
An attacker may use certutil to download malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)Required data: XDR AgentAttacker's goals: An attacker may use certutil to download malware.Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.Suspicious data encryption Low
Known applications were used to encrypt data within a machine's local file system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Encrypted for Impact (T1486) Obfuscated Files or Information: Encrypted/Encoded File (T1027.013)Required data: XDR AgentAttacker's goals: Damage or hide data on the local file system.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Suspicious disablement of the Windows Firewall Low
The Windows Firewall has been disabled. Malware may turn it off to exfiltrate data and communicate with C2 servers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if the process is legitimately disabling the firewall.Suspicious disablement of the Windows Firewall using PowerShell commands Medium
The Windows Firewall has been disabled using PowerShell. Malware may turn it off to exfiltrate data and communicate with C2 servers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.Investigative actions: Check Windows event logs to see the PowerShell command or script that was executed. Check whether the PowerShell command is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that disabled the firewall.Suspicious hidden user created Medium Identity Analytics
A user account was created with a name that mimics a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Create Account (T1136) Hide Artifacts: Hidden Users (T1564.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Evasion using a valid account.Investigative actions: Check the user account created and verify its activity.Suspicious process accessed a site masquerading as Google Informational 1 variation
A suspicious process accessed a site masquerading as Google.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)Required data: XDR AgentAttacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.Variations
Suspicious process resolved the DNS name of a site masquerading as Google
Informational overridden
A suspicious process resolved the DNS name of a site masquerading as Google. overridden
Suspicious process execution from tmp folder Informational 4 variations
An unpopular process was executed from the tmp folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
A web server process executed an unpopular application from the tmp folder
Medium overridden
An executable application ran from the tmp folder by a web server process. overridden
Suspicious cron job task execution of a binary from the tmp folder
Medium overridden
An unpopular process was executed from the tmp folder. overridden
Suspicious interactive execution of a binary from the tmp folder
Medium overridden
An unpopular process was executed from the tmp folder. overridden
Suspicious process execution from tmp folder in a Kubernetes pod
Informational overridden
An unpopular process was executed from the tmp folder. overridden
Svchost.exe loads a rare unsigned module Low
Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.Tampering with Internet Explorer Protected Mode configuration Informational 2 variations
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR AgentAttacker's goals: When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched. Attackers may change this value to make the process launch with higher privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Tampering with Internet Explorer Protected Mode default configuration
Medium overridden
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden
Tampering with Internet Explorer Protected Mode specific app configuration
Informational overridden
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden
Tampering with the Windows User Account Controls (UAC) configuration Informational 3 variations
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Tampering with the Windows User Account Controls (UAC) configuration by a remote host
Medium overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Tampering with the Windows User Account Controls (UAC) configuration
Low overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Tampering with the Windows User Account Controls (UAC) configuration
Low overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
The Linux system firewall was disabled Low
The system firewall was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 10 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: Exfiltrate data or move laterally in the organization.Investigative actions: Examine the command to understand which ip or port were affected. Check the communication allowed by the created firewall rule.Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium
A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.Uncommon DotNet module load relationship Informational
A signed process that usually doesn't use DotNet loaded a common DotNet module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Reflective Code Loading (T1620)Required data: XDR AgentAttacker's goals: Adversaries may reflectively load DotNet code into a process to conceal execution of malicious payloads.Investigative actions: Investigate the actor process for potential malicious activity. Check for recently installed services that may load DotNet modules.Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations
A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Gain code execution on the host in the context of another process.Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.Variations
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process
High overridden
An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread
Medium overridden
An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process
Medium overridden
A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process
Medium overridden
An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon attempt to clear shell history Low 1 variation
An attempt to clear or manipulate shell history files was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: XDR AgentAttacker's goals: Attackers may clear or modify shell history files to remove traces of their activities.Investigative actions: Investigate the user and process that executed the command. Examine other related activities on the host to understand the context of this action.Variations
Globally uncommon attempt to clear shell history
Medium overridden
An attempt to clear or manipulate shell history files was detected. overridden
Uncommon driver loaded Low 3 variations
An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Rootkit (T1014)Required data: XDR AgentAttacker's goals: Install rootkit to gain kernel-level to gain full control over the machine or disable security products.Investigative actions: Investigate which process created the driver or how it has been loaded.Variations
Uncommon driver loaded by a Web server process
High overridden
An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit by a Web server process. overridden
Globally rare and unsigned driver loaded
Medium overridden
Globally rare and unsigned driver loaded. overridden
Uncommon driver with a globally rare vendor loaded as a service
Medium overridden
An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit. overridden
Uncommon execution of ODBCConf Low 1 variation
Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Odbcconf (T1218.008)Required data: XDR AgentAttacker's goals: Execute arbitrary code or load malicious DLL modules undetected within Microsoft signed program from Microsoft signed process.Investigative actions: Check the execution command-line, in case of 'REGSVR' points to a DLL, then check it. If the command-line contains '/f' argument (for script file) check the content of the script.Variations
Uncommon execution of ODBCConf to load dll directly
High overridden
Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files. overridden
Uncommon kernel module load Informational 1 variation
Loading of a kernel module using the modprobe command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Rootkit (T1014)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Gain persistence using the kernel module.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Uncommon kernel module load in a Kubernetes pod
Informational overridden
Loading of a kernel module using the modprobe command. overridden
Uncommon msiexec execution of an arbitrary file from a remote location Low 1 variation
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)Required data: XDR AgentAttacker's goals: Evading security controls and executing arbitrary files from the web.Investigative actions: Check if the the URL that is encoded in the command line is trusted. Determine if the executed DLL or MSI file is known as legitimate. Confirm whether the initiating process is legitimate and if the user running it knows of its use.Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.Variations
Suspicious msiexec execution on an internet-facing endpoint
Low overridden
Suspicious msiexec execution of an arbitrary file from the web on an internet-facing server. overridden
Unicode RTL Override Character High
An attacker may use a special right-to-left (RTL) override character to trick users into executing malicious files that look like benign file types.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Trick users into executing malicious files by making their file types seem benign.Investigative actions: Investigate the executed process. There is no reason for benign files to contain the Unicode right-to-left override character in their name.Unpopular rsync process execution Informational 1 variation
An unpopular rsync process was executed on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may attempt to transfer tools or other files to a compromised host.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Unpopular rsync process execution in a Kubernetes Pod
Informational overridden
An unpopular rsync process was executed on the host. overridden
Unsigned DLL Hijack into a Microsoft process Informational 7 variations
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden
Rare and unsigned DLL into an injected Microsoft process
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a low entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a high entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a recently created Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Side-Loading Informational 6 variations
A signed process loaded an unsigned and rare module from the same folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
DLL Side-Loading of module bearing an invalid Microsoft signature
High overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor
Medium overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading - DLL downloaded from an uncommon source
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned high entropy DLL Side-Loading by untrusted causality actor
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading which was executed by a scheduled task
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned and unpopular process performed a DLL injection Low 5 variations
An unsigned process with low popularity injected a dll into another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject DLLs into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned and unpopular process performed process hollowing DLL injection
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed queue APC DLL injection
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a sensitive process
Medium overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a commonly abused process
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a security vendor signed process
Medium overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed an injection Low 7 variations
An unsigned process with low popularity injected code to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned and unpopular process performed process hollowing injection
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed queue APC injection
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into a sensitive process
Medium overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into svchost.exe
High overridden
An unsigned process with low popularity injected code to another process. This process attempted to obtain System user permissions. overridden
Unsigned and unpopular process performed injection into a commonly abused process
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into a process signed by a security vendor
Medium overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process executed by a scheduled task performed an injection
Low overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned process injecting into a Windows system binary with no command line Medium
An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Unusual Conditional Access operation for an identity Informational Identity Threat Module 1 variation
An identity attempted to add or update an Azure AD Conditional Access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.Investigative actions: Check implications of the updated policy. Check whether the user changing the configuration is permitted to perform such actions.Variations
Suspicious Conditional Access operation for an identity
Low overridden
An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy. overridden
Unusual Lolbins Process Spawned by InstallUtil.exe Low
An unusual process was spawned by InstallUtil.exe, possibly indicating malicious local or remote code execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: InstallUtil (T1218.004)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Unusual Netsh PortProxy rule Low 2 variations
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unusual Netsh PortProxy rule by non-netsh process
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual Netsh PortProxy rule by an unsigned causality actor
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden
Unusual hostname for the sending mail server in the email headers Informational Email
The detected mail server hostname had not been observed in the organization's emails in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.Unusual sender IP subnet Informational Email 2 variations
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Unusual sender IP subnet associated with infrastructure or tunneling services
Informational overridden
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden
Unusual sender IP subnet associated with internal sender
Informational overridden
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden
Unusual use of a 'SysInternals' tool Informational 3 variations
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may leverage SysInternals tools for lateral movement, credential access, or to delete recovery backups to cause impact.Investigative actions: Check if the file is familiar to the user, if not, investigate further the source of it.Variations
Unusual use of a 'SysInternals' tool by a process with an invalid or non-standard signature
High overridden
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden
Unusual use of a 'SysInternals' tool that can be used for offensive operations
High overridden
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden
A registry key related to SysInternals was modified by a known registry editor
Informational overridden
A registry key related to SysInternals was modified by a known registry editor to circumvent a EULA prompt. overridden
Unusual user-agent for a cloud identity Informational Cloud 1 variation
A cloud identity has executed an API call with an unusual user-agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Evade detection by using non-standard tools or scripts.Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.Variations
Unusual user-agent for a cloud identity by a compromised AWS access key
Medium overridden
A cloud identity has executed an API call with an unusual user-agent. overridden
Usage of homograph characters detected in an email Informational Email
Detected characters resembling Latin letters within an email's subject and/or body.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656) Masquerading (T1036)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Usage of homograph characters detected in an email's from header Informational Email
Detected characters resembling Latin letters within an email's From header.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.User added SID History to an account Informational Identity Analytics 1 variation
A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.Variations
Suspicious SID History Addition
Medium overridden
A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden
User moved Exchange sent messages to deleted items Informational Identity Threat Module Email 1 variation
A user moved sent messages to deleted items in Exchange.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: Clear Mailbox Data (T1070.008)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to hide newly sent email messages for evasion purposes.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.Variations
Sensitive Exchange sent messages moved to deleted items from unusual source
Low overridden
A user moved sensitive sent messages to deleted items in Exchange. overridden
User set insecure CA registry setting for global SANs Low Identity Analytics
A user enabled the EDITF_ATTRIBUTESUBJECTALTNAME2 registry flag, allowing custom Subject Alternative Names (SANs) to be specified on all certificate templates. This could enable attackers to bypass security controls by requesting certificates with user-defined SANs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: This flag can allow an attacker to obtain a certificate with higher privileges and escalate to Domain Admin.Investigative actions: Confirm whether the registry change was authorized by the user or system administrator. Monitor certificate enrollments with Subject Alternate Names. Restore the secure configuration by disabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag and enforcing strict certificate policies. Investigate any unusual authentication attempts or certificates issued to high-privilege users or accounts.VM Detection attempt Informational
A script has executed commands that can be used to detect VM environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.VM Detection attempt on Linux Informational 2 variations
A Process executed a command and/or accessed a file that can be used to detect VM environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR AgentAttacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.Investigative actions: Review the process for additional malicious actions. Check for any additional alerts raised within the same context of the script.Variations
VM Detection attempt on Linux with further reconnaissance commands
Medium overridden
A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden
VM Detection attempt on Linux using an unpopular technique
Low overridden
A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden
VPN login by a dormant user Informational Identity Analytics
A dormant user logged on to a VPN service after having been unused for a month or longer.This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use a compromised user account which has not been used for a long while, and therefore is less likely to be noticed.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check if the user initiated other logins aside from a VPN login. Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Weakly-Encrypted Kerberos TGT Response Informational 1 variation
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).Variations
Abnormal Weakly-Encrypted Kerberos TGT Response
Low overridden
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden
Well-known brand in sender headers with header inconsistencies Informational Email
Sender headers include a well-known brand with header inconsistencies indicating possible impersonation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Brand ImpersonationAttacker's goals: Impersonate known legitimate brands or other technological entities to trick recipients into disclosing information or executing malicious code unwillingly.Investigative actions: Identify the specific emails responsible for the accumulation of these alerts. Review their headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Review the email headers and metadata of each flagged email to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk. Document and escalate findings in case this is a broader phenomenon.Windows event logs were cleared with PowerShell Informational 3 variations
Windows event logs were cleared or deleted with PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: Clear Windows Event Logs (T1070.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may clear events from Windows event logs to remove traces of their malicious activity.Investigative actions: Validate if the script that was executed is from a legitimate IT activity. Look for additional suspicious actions that were executed on the host.Variations
Suspicious clear or delete security provider event logs with PowerShell
High overridden
Windows event logs were cleared or deleted with PowerShell. overridden
Suspicious clear or delete default providers event logs with PowerShell
Medium overridden
Windows event logs were cleared or deleted with PowerShell. overridden
Windows event logs were cleared with uncommon PowerShell command line
Low overridden
Windows event logs were cleared or deleted with PowerShell. overridden
Wscript/Cscript loads .NET DLLs Low
An unusual script loads .NET DLLs, possibly indicating JScriptToDotnet execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations
This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type
Informational overridden
X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden
Email identified by X-Forefront-Antispam-Report as a phishing attempt
Informational overridden
X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt
Informational overridden
X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as impersonating internal communication
Informational overridden
X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden
X-Forefront-Antispam-Report has strongly flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report has flagged this email as a bulk email
Informational overridden
X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden
X-Forefront-Antispam-Report has flagged an internal email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden
X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain
Informational overridden
This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden
X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques
Informational overridden
X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden