Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

53 alerts match the current filters. tactic: TA0002 ✕ technique: T1204 ✕

Show ATT&CK heatmap
  • A Kubernetes service account executed an unusual API call Informational Cloud 4 variations

    A Kubernetes service account executed an unusual API call.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Abuse a service account token to gain access to the Kubernetes cluster.
    Investigative actions: Verify whether the service account should be executing this API. Investigate other operations that were performed by the service account within the cluster.

    Variations

    A Kubernetes service account executed an API call on a first-seen resource

    Low overridden

    A Kubernetes service account executed an API call on a first-seen resource. overridden

    A Kubernetes service account executed an API call on an unusual sensitive resource

    Low overridden

    A Kubernetes service account executed an API call on an unusual sensitive resource. overridden

    A Kubernetes service account executed an unusual modification API call

    Informational overridden

    A Kubernetes service account executed an unusual modification API call. overridden

    A Kubernetes service account executed an API call on an unusual resource

    Informational overridden

    A Kubernetes service account executed an API call on an unusual resource. overridden

  • A cloud identity performed multiple unusual activities Medium Cloud 1 variation

    A cloud identity performed multiple unusual activities across various cloud services.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Adversaries may manipulate accounts to pivot to their next point in the environment, and eventually to access or manipulate data.
    Investigative actions: Check if the identity intended to preform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    A cloud identity performed multiple suspicious activities

    Low overridden

    A cloud identity performed multiple unusual activities across various cloud services. overridden

  • A suspicious executable with multiple file extensions was created Medium

    An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.
    Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.
  • A user uploaded malware to SharePoint or OneDrive Low Identity Threat Module 2 variations

    A user uploaded a file that was classified as malware to SharePoint or OneDrive.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Taint Shared Content (T1080) User Execution: Malicious File (T1204.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may upload malware to a shared location to gain execution and move laterally.
    Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the file that was uploaded for any malicious indicators. Follow further actions done by the account.

    Variations

    A user uploaded malware to SharePoint or OneDrive with suspicious characteristics

    Medium overridden

    A user uploaded a file that was classified as malware to SharePoint or OneDrive with some additional suspicious characteristics. overridden

    A user uploaded a malicious payload to SharePoint or OneDrive

    Informational overridden

    A user uploaded a file that was classified as malware to SharePoint or OneDrive. The file was labelled as malicious by Microsoft's file scanning engine. overridden

  • AI-determined combination of risky alerts under the same actor process Informational 1 variation

    Multiple alerts likely to be associated with an incident were identified under the same actor process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Attacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.
    Investigative actions: Investigate the actor process of these alerts. Track down other suspicious activity under this actor process.

    Variations

    AI-determined combination of risky alerts under the same actor process: LDAP traffic from non-standard process with SMB traffic from non-standard process

    Medium overridden

    A non-standard process communicated over LDAP ports, combined with SMB traffic from a non-standard process under the same actor process. This combination may indicate an attacker performing Active Directory enumeration while leveraging SMB for lateral movement or discovery. overridden

  • AI-determined combination of risky alerts under the same causality Informational

    Multiple alerts likely to be associated with an incident were identified under the same causality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: AI Insight Fusion Analytics
    Attacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.
    Investigative actions: Investigate the causality of these alerts. Track down other suspicious activity under this causality.
  • Abnormal increase in network-related alerts on the same host Low

    Abnormal increase in network-related alerts on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts.
  • Bronze-Bit exploit High

    A forwardable Kerberos ticket for delegation of a Protected User was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain a special user's Kerberos ticket to move laterally.
    Investigative actions: Check the initiating service account delegation privileges. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.
  • ClickFix - PowerShell executed through the run application Low 4 variations

    An attacker may be trying to trick a user to execute PowerShell through the run application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing (T1566)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be trying to trick a user to execute PowerShell through the run application.
    Investigative actions: Check if the command line is known in the organization or malicious. And ask the user what is the source of it.

    Variations

    ClickFix - PowerShell command executed through the run application and using Invoke-Expression cmdlet

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long PowerShell command executed through the run application with URL in the command

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long encoded PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Schedule task PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

  • Cloud penetration testing tool activity High Cloud 3 variations

    A cloud API was successfully executed using a known cloud penetration testing tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Leverage known attack tools to enumerate resources, identify vulnerabilities, or exploit cloud configurations.
    Investigative actions: Confirm if authorized penetration testing activity is currently scheduled. Review the API operations performed by the identity to determine the intent and scope of the activity.

    Variations

    Cloud penetration testing tool usage attempt

    Informational overridden

    A failed cloud API was executed using a known cloud penetration testing tool. overridden

    Cloud security assessment tool activity

    Low overridden

    A cloud API was successfully executed using a known cloud security assessment tool. overridden

    Cloud penetration testing tool activity by Azure application

    Informational overridden

    A cloud API was successfully executed using a known cloud penetration testing tool by an Azure application. overridden

  • Contained process execution with a rare GitHub URL Low

    A contained process was executed with a suspicious GitHub url in the command line. This may be a legitimate use, but this technique is frequently used by attackers to download malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution: Malicious Image (T1204.003)
    Required data: XDR Agent
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check the user activity on the same container at that time. Check if the container is a development container. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.
  • Denied API call by a Kubernetes service account Informational Cloud 2 variations

    A Kubernetes service account API call was denied.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Check whether the service account should be making this API call. Check service account's activity, including additional executed API calls.

    Variations

    Denied API call by Kubernetes service account for the first time in the cluster

    Low overridden

    A Kubernetes service account API call was denied. overridden

    Suspicious denied API call by a Kubernetes service account

    Informational overridden

    A Kubernetes service account API call was denied. overridden

  • Email attachment with Right-to-Left Override Unicode character Low Email

    The email message contains an attachment with a hidden Right-to-Left Override Unicode character.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.
  • Email attachment with a potentially malicious file extension Informational Email 2 variations

    The email message includes attachments with file types that are typically blocked by the email vendor as a precaution due to their suspicious nature.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable.

    Variations

    Attachment(s) with a potentially malicious file extension unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious file extension unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email attachment with multiple extensions Informational Email 2 variations

    This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.

    Variations

    Email executable attachment with multiple extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

    Email executable attachment with multiple executable extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

  • Email attachment(s) with potentially malicious MIME type Informational Email 2 variations

    The email message contains an attachment(s) with a potentially malicious MIME type.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.

    Variations

    Attachment(s) with potentially malicious MIME type unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious MIME type that is unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email containing a link with an IP address convention was detected Informational Email

    A link with IP address convention was detected within the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email containing a redirected link Informational Email 1 variation

    An email with a redirected link has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers can use link redirection to disguise malicious URLs.
    Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email containing a redirected link with multiple redirections

    Informational overridden

    An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden

  • Email contains URL delivering high-risk file type Informational Email 1 variation

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.
    Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.

    Variations

    External email with URL delivers blocked file types

    Low overridden

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden

  • Email with file-sharing link containing auto-download parameter Low Email 1 variation

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing: Spearphishing Link (T1566.002) User Execution: Malicious File (T1204.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: The attacker may be attempting to deliver malware or exfiltrate data using auto-download file-sharing links.
    Investigative actions: Analyze the linked file(s) to determine if they pose any security risk. Check the sender's communication history within the organization. Analyze the file reputation using sandbox or threat intelligence sources. Verify whether similar links were sent to other users.

    Variations

    External email with file-sharing link containing auto-download parameter

    Low overridden

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download. overridden

  • External email with a single internal recipient hidden in BCC Informational Email 1 variation

    External email with mailbox owner hidden in BCC as the only internal recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.
    Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    External email with only a hidden internal BCC recipient

    Informational overridden

    External email with no visible recipients, mailbox owner is hidden in BCC. overridden

  • Globally uncommon process execution from a signed process Informational 4 variations

    A signed process has executed a process that, on a global level, it usually doesn't execute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Check if the actor process was injected or loaded a suspicious DLL before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon process execution from a signed process from a known vendor

    Medium overridden

    A signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally rare process execution from a signed process

    Medium overridden

    A signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally uncommon process execution from an injected thread in a signed process

    Low overridden

    An injected thread in a signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally uncommon process execution from a web server process or CGO

    Low overridden

    A web server process or CGO has executed a process that, on a global level, it usually doesn't execute. overridden

  • Microsoft Office Process Spawning a Suspicious One-Liner Medium

    A Microsoft Office process spawned a commonly abused process with a full command (not a script), this is a typically malicious behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to gain code execution on the host.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, employees working in finance may have legitimate use cases for complex Excel commands.
  • Microsoft Office process spawns a commonly abused process Low

    Microsoft Office process spawns a commonly abused process with an uncommon command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via a phishing document.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Microsoft Office process spawns conhost.exe Low

    This unusual parent-child relationship may indicate that a Microsoft Office application executed a console-based application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Phishing (T1566)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via an Office application or via an Office document.
    Investigative actions: Check the source of the file or email (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Moniker link detected in URL(s) Informational Email 2 variations

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user on clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    A suspicious Moniker link, SMB and suspicious extension detected

    Medium overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

    A suspicious Moniker link pointing to SMB detected

    Low overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

  • Multiple Rare LOLBIN Process Executions by User Low Identity Analytics 1 variation

    A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.

    Variations

    Multiple curl process executions by user

    Informational overridden

    A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account. overridden

  • Multiple Rare Process Executions in Organization Informational Identity Analytics

    Multiple unusual processes were executed in the organization. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.
  • Multiple alerts of different MITRE tactics were seen Low

    Multiple alerts of different MITRE tactics were seen on the same host under the same causality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the causality of all the linked alerts. It is visible in the bottom of the causality page. Assess whether it looks like a threat actor executing multiple tactics.
  • Multiple network-related alerts of different MITRE tactics on the same host Low

    Multiple alerts of different MITRE tactics were seen on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts. Asses whether it looks like a threat actor executing multiple tactics.
  • Multiple network-related alerts produced by different detectors on the same host Low

    Multiple alerts produced by different detectors were seen on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts.
  • Office process accessed an unusual .LNK file Low

    An attacker may embed a .LNK file in an Office document to execute malicious code.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: User Execution (T1204) Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Modify or create a shortcut to gain code or program execution.
    Investigative actions: Check if the Office document contains a shortcut object. Check the content (strings) of the document object for a .LNK shortcut. Check the content of the shortcut.
  • Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations

    Identifies outbound emails that include links to file-sharing services sent externally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.
    Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.

    Variations

    Outbound email to external recipient(s) uses first-seen for organization file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

    Outbound email to external recipient(s) uses first-seen for sender file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

  • Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.
    Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    Outbound email sent to an unknown external BCC recipient with no To or CC addresses

    Low overridden

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden

  • Outbound email to an address hosted by a public email service provider Informational Email 1 variation

    Internal sender emailed to an address hosted by a public email service provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration, Account Takeover
    Attacker's goals: Extracting valuable information outside the company.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Outbound email to a single address hosted by a public email service provider

    Informational overridden

    Internal sender emailed to a single recipient with public email service provider. overridden

  • Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)
    Required data: AzureAD
    Attacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.
    Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.

    Variations

    OAuth Token Theft - Potential Session Hijacking Detected from new ASN

    Low overridden

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden

  • Possible compromised machine account Medium

    A Kerberos TGT for machine account has been used and does not match the hostname.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Gain a special user Kerberos ticket to move laterally.
    Investigative actions: Check the source host for possible credential dumping. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.
  • Punycode characters detected in URL(s) Informational Email

    Punycode character(s) detected within URL(s) in email content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.
    Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rare LOLBIN Process Execution by User Informational Identity Analytics

    A user executed a living-off-the-land binary (LOLBIN) process that is unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory Low

    Microsoft Office executed an unsigned process in a suspicious directory. This behavior is common with malicious macros.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Attackers execute commands after infiltrating by using phishing or exploiting a vulnerability in an office.
    Investigative actions: Investigate the executed process. Investigate the document/email that initiated it.
  • Rare process execution by user Informational Identity Analytics

    An unusual process was executed by a user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Rare process execution in organization Informational Identity Analytics

    An unusual process was executed in the organization. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Sudden spike in outbound email volume Informational Email 2 variations

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    2 Hours
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Sudden spike in outbound emails sent to external recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

    Sudden spike in outbound emails sent to internal recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

  • Suspicious SearchProtocolHost.exe parent process Medium

    SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious activity indicating a potential abuse of a cloud-native email service Low Cloud 2 variations

    A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log
    Attacker's goals: Adversaries may use cloud-based email services to send phishing or spread malware, abusing legitimate email domains.
    Investigative actions: Check if the identity intended to preform these actions or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery, weaponization, and impact

    High overridden

    A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.The behavior that was observed included discovery operations, attack preparation and actual email sending.These activities might indicate an intent to abuse the email service to send phishing or spam. overridden

    Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery and weaponization

    Medium overridden

    A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.The behavior that was observed included discovery operations and attack weaponization.These activities might indicate an intent to abuse the email service to send phishing or spam. overridden

  • Suspicious docker image download from an unusual repository Informational 2 variations

    The agent has pulled a docker image from a repository for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution: Malicious Image (T1204.003)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Adversaries may rely on a user running a malicious image to facilitate execution.
    Investigative actions: Scan the docker image that was pulled. Check the repository designation. Check on which other agents the docker image is being used.

    Variations

    Suspicious docker image download from an unrecognized registry

    Low overridden

    The agent has pulled a docker image from a registry that has never been used in the organization. overridden

    Suspicious docker image download from an unrecognized repository

    Low overridden

    The agent has pulled a docker image from a repository that has never been used in the organization. overridden

  • Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium

    A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.
    Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.
  • Uncommon URL domain(s) in your organization detected in email Informational Email 3 variations

    We have identified unpopular domain(s) in URL(s) within this email.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    External email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Internal email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Outbound email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

  • Unpopular domains detected in email URLs for a recipient Informational Email 1 variation

    We have identified unpopular domain(s) within these email URLs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Highly unpopular URL domain(s) for mailbox detected in email

    Informational overridden

    We have identified unpopular domain(s) within these email URLs. overridden

  • Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation

    Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion, Phishing
    Attacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.

    Variations

    Usage of homograph characters detected in an email attachment(s) extension

    Low overridden

    Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden

  • Windows CGO, actor and action processes with anomalous characteristics Informational 2 variations

    Windows CGO, actor and action processes with anomalous characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Detector tags: Process Anomaly Analytics
    Attacker's goals: Processes anomalous characteristics which commonly appear in malicious activities.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the CGO and actor processes that executed the process and check if they are malicious.

    Variations

    Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO

    Low overridden

    Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO. overridden

    Windows CGO, actor and action processes with highly anomalous characteristics

    Low overridden

    Windows CGO, actor and action processes with anomalous characteristics. overridden

  • Windows CGO, actor process and action module with anomalous characteristics Informational 1 variation

    Windows CGO, actor process and action module with anomalous characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Loading modules with anomalous characteristics that commonly appear in malicious activities.
    Investigative actions: Investigate the loaded image and check if it is malicious. Investigate the CGO process and actor process that loaded the module and check if they are malicious.

    Variations

    Windows CGO, actor process and action module with very anomalous characteristics

    Low overridden

    Windows CGO, actor process and action module with anomalous characteristics. overridden

  • X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations

    This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type

    Informational overridden

    X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden

    Email identified by X-Forefront-Antispam-Report as a phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as impersonating internal communication

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden

    X-Forefront-Antispam-Report has strongly flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report has flagged this email as a bulk email

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden

    X-Forefront-Antispam-Report has flagged an internal email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden

    X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain

    Informational overridden

    This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden

    X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden