Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. tactic: TA0001 ✕ technique: T1562 ✕
Show ATT&CK heatmapExchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
A recently configured Exchange DKIM signing configuration was disabled
Informational overridden
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden
Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)Required data: Office 365 AuditAttacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Exchange Safe Link policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
Recently configured Exchange anti-phish policy disabled or removed
Informational overridden
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden