Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

10 alerts match the current filters. tactic: TA0005 ✕ technique: T1204 ✕

Show ATT&CK heatmap
  • A suspicious executable with multiple file extensions was created Medium

    An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.
    Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.
  • Email attachment with Right-to-Left Override Unicode character Low Email

    The email message contains an attachment with a hidden Right-to-Left Override Unicode character.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.
  • Email attachment with multiple extensions Informational Email 2 variations

    This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.

    Variations

    Email executable attachment with multiple extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

    Email executable attachment with multiple executable extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

  • Email attachment(s) with potentially malicious MIME type Informational Email 2 variations

    The email message contains an attachment(s) with a potentially malicious MIME type.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.

    Variations

    Attachment(s) with potentially malicious MIME type unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious MIME type that is unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email containing a link with an IP address convention was detected Informational Email

    A link with IP address convention was detected within the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email containing a redirected link Informational Email 1 variation

    An email with a redirected link has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers can use link redirection to disguise malicious URLs.
    Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email containing a redirected link with multiple redirections

    Informational overridden

    An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden

  • Punycode characters detected in URL(s) Informational Email

    Punycode character(s) detected within URL(s) in email content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.
    Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Suspicious SearchProtocolHost.exe parent process Medium

    SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium

    A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.
    Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.
  • X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations

    This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type

    Informational overridden

    X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden

    Email identified by X-Forefront-Antispam-Report as a phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as impersonating internal communication

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden

    X-Forefront-Antispam-Report has strongly flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report has flagged this email as a bulk email

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden

    X-Forefront-Antispam-Report has flagged an internal email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden

    X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain

    Informational overridden

    This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden

    X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden