Analytics Alerts
Browse the Cortex analytics alert reference.
46 alerts match the current filters. tactic: TA0001 ✕ technique: T1566 ✕
Show ATT&CK heatmapA Torrent client was detected on a host Informational 1 variation
The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Exfiltrate data or as a phishing entry point.Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.Variations
A Torrent client was detected on a host
Informational overridden
The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden
Azure application consent Informational Identity Threat Module 1 variation
An identity consented permissions to an application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)Required data: AzureAD Audit LogAttacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.Variations
First seen Azure admin consent to an application
Low overridden
An administrative identity consented permissions to an application. overridden
ClickFix - PowerShell executed through the run application Low 4 variations
An attacker may be trying to trick a user to execute PowerShell through the run application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: User Execution (T1204) Phishing (T1566)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may be trying to trick a user to execute PowerShell through the run application.Investigative actions: Check if the command line is known in the organization or malicious. And ask the user what is the source of it.Variations
ClickFix - PowerShell command executed through the run application and using Invoke-Expression cmdlet
High overridden
An attacker may be trying to trick a user to execute PowerShell through the run application. overridden
ClickFix - Long PowerShell command executed through the run application with URL in the command
High overridden
An attacker may be trying to trick a user to execute PowerShell through the run application. overridden
ClickFix - Long encoded PowerShell command executed through the run application
High overridden
An attacker may be trying to trick a user to execute PowerShell through the run application. overridden
ClickFix - Schedule task PowerShell command executed through the run application
High overridden
An attacker may be trying to trick a user to execute PowerShell through the run application. overridden
Download pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.Email attachment with a potentially malicious file extension Informational Email 2 variations
The email message includes attachments with file types that are typically blocked by the email vendor as a precaution due to their suspicious nature.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable.Variations
Attachment(s) with a potentially malicious file extension unusual for the organization
Informational overridden
At least one attachment with a potentially malicious file extension was received in an email for the first time within the organization in the past 30 days. overridden
Attachment(s) with a potentially malicious file extension unusual for the recipient
Informational overridden
At least one attachment with a potentially malicious file extension was received in an email for the first time for the recipient in the past 30 days. overridden
Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values Informational Email 4 variations
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: SpamAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Email with high Spam Confidence Level and Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with high Spam Confidence Level or Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with medium Spam Confidence Level and Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with medium Spam Confidence Level or Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email mimics replies or forwards without an actual ongoing conversation Informational Email
An email with a subject line or body that includes signs of a reply or forward without an actual ongoing conversation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566) Trusted Relationship (T1199)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Create the illusion of being part of an existing email conversation to build trust and reduce the target's suspicion, mislead recipients by concealing harmful intents such as phishing or malware distribution.Investigative actions: Analyze the full set of email headers to confirm the absence of legitimate References and In-Reply-To headers and verify if the email was altered or forged. Investigate if the sender's domain is known, flagged, or associated with suspicious activity to detect possible impersonation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email was received from an unknown address using a public provider domain Informational Email
The email was received from an unknown address, that was seen for the first time in the organization in the past month, and registered under a public provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email was received from an unknown sender using a disposable domain Low Email
The email was received from an unknown sender using a disposable email provider, first seen in the organization in the past month.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email with file-sharing link containing auto-download parameter Low Email 1 variation
The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing: Spearphishing Link (T1566.002) User Execution: Malicious File (T1204.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: The attacker may be attempting to deliver malware or exfiltrate data using auto-download file-sharing links.Investigative actions: Analyze the linked file(s) to determine if they pose any security risk. Check the sender's communication history within the organization. Analyze the file reputation using sandbox or threat intelligence sources. Verify whether similar links were sent to other users.Variations
External email with file-sharing link containing auto-download parameter
Low overridden
The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download. overridden
Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
A recently configured Exchange DKIM signing configuration was disabled
Informational overridden
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden
Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)Required data: Office 365 AuditAttacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Exchange Safe Link policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
Recently configured Exchange anti-phish policy disabled or removed
Informational overridden
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden
External user added a link to a Microsoft Teams chat Informational Identity Threat Module 1 variation
An external user added a link to a Microsoft Teams chat.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Confirm that the external tenant and user are authorized to share links or files with users in the organization. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that have been sent in the conversation. Evaluate the external domain reputation. Review past communication from the external user. Follow further actions done by the account.Variations
An external user sent a link via Microsoft Teams with suspicious parameters
Low overridden
An external user sent a link with suspicious parameters in a Microsoft Teams conversation. overridden
External user call via Microsoft Teams Informational Identity Threat Module 2 variations
An external user called a user in the organization via Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing: Spearphishing Voice (T1566.004)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct voice phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Confirm that the external tenant and external user are authorized to call users in the organization. Check external domain reputation. Follow further actions performed by the user who participated in the call. Verify if the user account was compromised or was a victim of a voice phishing campaign.Variations
A first seen external user with a suspicious name initiated a Microsoft Teams call
Medium overridden
A first seen external user with a suspicious name successfully called via Microsoft Teams a user in the organization. overridden
An external user with a suspicious name initiated a Microsoft Teams call
Low overridden
An external user with a suspicious name called via Microsoft Teams a user in the organization. overridden
External user created a Microsoft Teams conversation with suspicious operations Informational Identity Threat Module 9 variations
An external user created a Microsoft Teams conversation with users in the organization with additional suspicious operations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Confirm that the tenant and user are authorized to start a conversation with users in the organization. Verify whether any user was removed from the conversation, and determine the reason for their removal. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that might have been sent in the conversation. Check external domain reputation. Review past communication from the external user. Follow further actions done by the account.Variations
An external user initiated a Microsoft Teams chat in which a suspicious link was shared and a member was removed
Low overridden
An external user initiated a Microsoft Teams chat in which a link, with a domain that hasn't been seen the last 30 days, was shared, and a member was removed. overridden
An external user created a chat and shortly after sent a link with a newly seen domain name
Low overridden
An external user created a chat and shortly after sent a link to a conversation via Microsoft Teams that refers to a domain that was seen for the first time in the past 30 days. overridden
An external user initiated a Microsoft Teams chat in which a link was shared and a member was removed
Low overridden
An external user initiated a Microsoft Teams chat in which a link with a rarely seen domain was shared, and a member was removed. overridden
An external user created a chat then sent a link with a file for the first time via Microsoft Teams
Low overridden
An external user sent a link for the first time during the past 30 days in a Microsoft Teams conversation, and the link points to a file. overridden
An external user created a chat with a suspicious user or chat name and then sent a link via Microsoft Teams
Low overridden
An external user created a chat with a suspicious user or chat name and sent a link in Microsoft Teams, which can be a phishing attempt. overridden
External user created a Microsoft Teams conversation with a suspicious user or chat name and shortly after removed a user from it
Low overridden
An external user created a conversation with a suspicious user or chat name, and then removed a member, which could indicate potential suspicious activity. overridden
An external user created a chat then sent a link via Microsoft Teams
Informational overridden
An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt. overridden
An external user created a chat and then sent a link via Microsoft Teams
Informational overridden
An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt. overridden
External user created a Microsoft Teams conversation and shortly after removed a user from it
Informational overridden
An external user created a conversation and then removed a member, which could indicate potential suspicious activity. overridden
External user started a Microsoft Teams conversation Informational Identity Threat Module 5 variations
An external user started a Microsoft Teams conversation with users in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Confirm that the tenant and user are authorized to start a conversation with users in the organization. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that might have been sent in the conversation. Check external domain reputation. Review past communication from the external user. Follow further actions done by the account.Variations
An external user started multiple conversations in Microsoft Teams with suspicious chat names
Low overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
An external user started a conversation in Microsoft Teams with a suspicious user or chat name
Low overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
An external user started multiple conversations in Microsoft Teams
Low overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
External user started a Microsoft Teams conversation and sent a message
Informational overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
An external user started conversations in Microsoft Teams with many internal users
Informational overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
Microsoft Office Process Spawning a Suspicious One-Liner Medium
A Microsoft Office process spawned a commonly abused process with a full command (not a script), this is a typically malicious behavior.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)Required data: XDR AgentAttacker's goals: An attacker is trying to gain code execution on the host.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, employees working in finance may have legitimate use cases for complex Excel commands.Microsoft Office injects code into a process Low 5 variations
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned Microsoft Office injects code into a process
High overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process to a non-standard PE section
High overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process to an undeclared memory page
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process from an unsigned process
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office process spawns a commonly abused process Low
Microsoft Office process spawns a commonly abused process with an uncommon command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)Required data: XDR AgentAttacker's goals: An attacker attempts to gain code execution via a phishing document.Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.Microsoft Office process spawns conhost.exe Low
This unusual parent-child relationship may indicate that a Microsoft Office application executed a console-based application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: User Execution: Malicious File (T1204.002) Phishing (T1566)Required data: XDR AgentAttacker's goals: An attacker attempts to gain code execution via an Office application or via an Office document.Investigative actions: Check the source of the file or email (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.Numerous emails sent by a single sender to multiple internal recipients Informational Email
Numerous emails were sent to multiple internal recipients. This may indicate spam or any other malicious attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: Phishing, SpamAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Okta FastPass reported phishing attack suspected Low Identity Analytics
Okta FastPass authentication reported a phishing attack suspected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: An attacker might attempt to compromise Okta accounts to gain initial access to the organization, sensitive assets or data.Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk. Examine email logs and headers to understand how the phishing email bypassed email security filters. Review the details of the phishing attempt, including the source email address, sender domain, and the content of the phishing message if available. Review recent login attempts, session details, and activity logs in OKTA for anomalies. Use threat intelligence feeds to identify if similar phishing tactics are part of a larger campaign. Examine historical access logs to see if there have been other attempts from the same IP or country and evaluate the potential threat level.Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)Required data: AzureADAttacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.Variations
OAuth Token Theft - Potential Session Hijacking Detected from new ASN
Low overridden
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden
Possible IPFS traffic was detected Informational
The host attempted to access other nodes in an IPFS manner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.Possible multistage attack in Microsoft Teams Low Identity Threat Module 1 variation
Possible multistage attack in Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Verify the suspicious activity to validate the legitimacy of the user's actions. Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links. Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content. Evaluate the external tenant reputation. Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login. Follow further actions done by the account.Variations
Malicious activity had been detected with strong indicators
Medium overridden
Malicious Microsoft Teams activity detected across multiple indicators, the activities have strong indications of a malicious action. overridden
Possible phishing attack via Microsoft Teams Low Identity Threat Module 3 variations
An external tenant is possibly attempting a phishing attack via Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Verify the suspicious sign-in activity to validate the legitimacy of the suspicious login. Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links. Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content. Evaluate the external tenant reputation. Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login. Follow further actions done by the account.Variations
Potential phishing attack with post compromise stages had been detected
High overridden
Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login and post compromise actions. overridden
Potential phishing attack via Microsoft Teams has been detected
Medium overridden
Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login. overridden
Potential phishing attack with post compromise activities in Microsoft Teams has been detected
Medium overridden
Suspicious Microsoft Teams phishing activity detected across multiple indicators. overridden
Possible use of IPFS was detected Informational 1 variation
The host produced traffic consistent with IPFS.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.Variations
Possible use of IPFS was detected
Informational overridden
The host produced traffic consistent with IPFS. overridden
Potential Phishing has been detected Medium Email 4 variations
This email contains multiple indicators consistent with a phishing attack. The message likely attempts to steal credentials, distribute malware, or trick recipients into performing actions that compromise security through deceptive content or suspicious technical characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Box Audit Log DropBox Google Workspace Audit Logs Microsoft 365 Emails Office 365 Audit Okta Audit Log Salesforce Slack Audit LogDetector tags: PhishingAttacker's goals: Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.Investigative actions: Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming. Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk. Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.Variations
Potential Brand Impersonation has been detected
Medium overridden
This email appears to impersonate a legitimate brand or service provider to deceive recipients. Attackers often mimic trusted companies like banks, cloud services, or popular brands to steal credentials, distribute malware, or conduct fraudulent activities. overridden
Potential Spear Phishing has been detected
Medium overridden
This email represents a targeted spear phishing attack aimed at high-value personnel within your organization. These highly personalized attacks often target executives or privileged users to gain unauthorized access to sensitive systems or information. overridden
Potential Business Email Compromise has been detected
Medium overridden
This email exhibits characteristics of a Business Email Compromise attack, where threat actors impersonate executives or trusted business partners to manipulate recipients into authorizing fraudulent financial transactions or wire transfers. overridden
Potential Exfiltration has been detected
Medium overridden
This outbound email shows suspicious patterns consistent with data exfiltration attempts. The communication may involve unauthorized transmission of sensitive organizational data to external recipients through email channels. overridden
Potential spoofing of internal domain spotted Informational Email
An external sender is possibly impersonating an employee by spoofing the company's internal address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Phishing (T1566) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: Get credentials for internal systems. Executing financial transfers from the company to the attacker's account. Extracting information outside the company. Encrypting critical information and demanding a ransom.Investigative actions: Check the received header path, especially the sender host. Check DMARC, SPF AND DKIM authentication results. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Quarantined email released to recipients Informational Email 3 variations
This message was previously quarantined by vendor and has now been released and delivered to the intended recipients.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Repeated quarantine releases to mailbox from previously quarantined sender
Low overridden
This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the mailbox has received multiple quarantined messages and the sender has been quarantined several times over the past 30 days. overridden
Repeated quarantine releases from previously quarantined sender
Low overridden
This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the sender has been quarantined multiple times over the past 30 days. overridden
Repeated quarantine-released emails received by mailbox
Low overridden
This mailbox has repeatedly received messages over the past 30 days that were quarantined by vendor and later released and delivered to the recipient. overridden
Rarely seen URL(s) within a well-known domain detected in your organization's email Informational Email
We have identified unpopular URL(s) within this email.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rarely seen sender address in the organization Informational Email
An email was received from a sender that has not been observed in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rarely seen sender domain in the organization Informational Email
An email was received from a domain that has not been observed in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Sending unusual file(s) to an external address Low Email
Unusual files sent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.Suspicious Process Spawned by Adobe Reader Low
Unusual process spawned by Adobe Reader with an uncommon command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001)Required data: XDR AgentAttacker's goals: An attacker attempts to gain code execution via a phishing document.Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.Suspicious sender exhibiting automated sending patterns Informational Email 1 variation
Multiple messages from a single sender were observed over a short period, all having the same subject and differing body content.This repetitive pattern may indicate automated or scripted behavior.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: PhishingAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Suspicious sender with high-volume automated sending patterns
Informational overridden
A high volume of messages was observed from a single sender address within a short time period, all sharing the same subject line but containing different body content.This elevated and repetitive pattern may indicate automated or scripted behavior at scale. overridden
Suspicious sending domain with sender address randomization Informational Email 1 variation
Multiple messages from a single sender domain were observed over a short period, each using a unique sender address.This per-message sender randomization is uncommon for legitimate senders and suggests automated behavior.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: PhishingAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
High-volume sender domain with per-message sender randomization
Informational overridden
A high volume of emails was observed from a single sending domain over a short time period, each using a unique sender address.This high volume per-message sender randomization is uncommon for legitimate senders and suggests automated behavior. overridden
Training simulation email detected Medium Email
This email was flagged as part of a training simulation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: PhishingAttacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings. Examine the sender's IP address and reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Uncommon URL domain(s) in your organization detected in email Informational Email 3 variations
We have identified unpopular domain(s) in URL(s) within this email.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
External email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Internal email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Outbound email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Unpopular domains detected in email URLs for a recipient Informational Email 1 variation
We have identified unpopular domain(s) within these email URLs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Highly unpopular URL domain(s) for mailbox detected in email
Informational overridden
We have identified unpopular domain(s) within these email URLs. overridden
Unrecognized internal address (AAD mismatch) Informational Email
An email was received from an address using an internal domain, but the sender is not found in Active Directory. This may indicate an impersonation attempt or domain spoofing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: The attacker aims to impersonate an internal user to gain trust, bypass security controls, and potentially extract sensitive information or distribute malicious content through internal-looking emails.Investigative actions: Verify if the sender address exists in Active Directory. Check historical email activity from the spoofed address. Review email headers for spoofing indicators (SPF, DKIM, DMARC failures). Identify if recipients engaged with the email (clicked links, downloaded attachments). Correlate with other alerts involving the same sender or domain.Unusual display name in From header Informational Email 2 variations
An email was detected with an unusual display name in the From header.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Evade defenses and hide potential malicious data inside the email display name.Investigative actions: Analyze the email further to determine the source of the anomaly and what can be done about it.Variations
Unusual display name in the From header containing an embedded URL
Low overridden
An email was detected with an unusual sender display name in the From header containing an embedded URL. overridden
Unusual display name in the From header that is identical to the email address
Informational overridden
An email was detected where the display name in the From header is unusual and matches the sender email address. overridden
Upload pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations
This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type
Informational overridden
X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden
Email identified by X-Forefront-Antispam-Report as a phishing attempt
Informational overridden
X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt
Informational overridden
X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as impersonating internal communication
Informational overridden
X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden
X-Forefront-Antispam-Report has strongly flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report has flagged this email as a bulk email
Informational overridden
X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden
X-Forefront-Antispam-Report has flagged an internal email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden
X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain
Informational overridden
This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden
X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques
Informational overridden
X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden