Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

10 alerts match the current filters. tactic: TA0002 ✕ technique: T1566 ✕

Show ATT&CK heatmap
  • ClickFix - PowerShell executed through the run application Low 4 variations

    An attacker may be trying to trick a user to execute PowerShell through the run application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing (T1566)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be trying to trick a user to execute PowerShell through the run application.
    Investigative actions: Check if the command line is known in the organization or malicious. And ask the user what is the source of it.

    Variations

    ClickFix - PowerShell command executed through the run application and using Invoke-Expression cmdlet

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long PowerShell command executed through the run application with URL in the command

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long encoded PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Schedule task PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

  • Email attachment with a potentially malicious file extension Informational Email 2 variations

    The email message includes attachments with file types that are typically blocked by the email vendor as a precaution due to their suspicious nature.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable.

    Variations

    Attachment(s) with a potentially malicious file extension unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious file extension unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email with file-sharing link containing auto-download parameter Low Email 1 variation

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing: Spearphishing Link (T1566.002) User Execution: Malicious File (T1204.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: The attacker may be attempting to deliver malware or exfiltrate data using auto-download file-sharing links.
    Investigative actions: Analyze the linked file(s) to determine if they pose any security risk. Check the sender's communication history within the organization. Analyze the file reputation using sandbox or threat intelligence sources. Verify whether similar links were sent to other users.

    Variations

    External email with file-sharing link containing auto-download parameter

    Low overridden

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download. overridden

  • Microsoft Office Process Spawning a Suspicious One-Liner Medium

    A Microsoft Office process spawned a commonly abused process with a full command (not a script), this is a typically malicious behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to gain code execution on the host.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, employees working in finance may have legitimate use cases for complex Excel commands.
  • Microsoft Office process spawns a commonly abused process Low

    Microsoft Office process spawns a commonly abused process with an uncommon command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via a phishing document.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Microsoft Office process spawns conhost.exe Low

    This unusual parent-child relationship may indicate that a Microsoft Office application executed a console-based application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Phishing (T1566)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via an Office application or via an Office document.
    Investigative actions: Check the source of the file or email (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)
    Required data: AzureAD
    Attacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.
    Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.

    Variations

    OAuth Token Theft - Potential Session Hijacking Detected from new ASN

    Low overridden

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden

  • Uncommon URL domain(s) in your organization detected in email Informational Email 3 variations

    We have identified unpopular domain(s) in URL(s) within this email.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    External email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Internal email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Outbound email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

  • Unpopular domains detected in email URLs for a recipient Informational Email 1 variation

    We have identified unpopular domain(s) within these email URLs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Highly unpopular URL domain(s) for mailbox detected in email

    Informational overridden

    We have identified unpopular domain(s) within these email URLs. overridden

  • X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations

    This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type

    Informational overridden

    X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden

    Email identified by X-Forefront-Antispam-Report as a phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as impersonating internal communication

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden

    X-Forefront-Antispam-Report has strongly flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report has flagged this email as a bulk email

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden

    X-Forefront-Antispam-Report has flagged an internal email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden

    X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain

    Informational overridden

    This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden

    X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden