Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

7 alerts match the current filters. tactic: TA0005 ✕ technique: T1566 ✕

Show ATT&CK heatmap
  • Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    A recently configured Exchange DKIM signing configuration was disabled

    Informational overridden

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden

  • Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.
  • Exchange Safe Link policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.
  • Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    Recently configured Exchange anti-phish policy disabled or removed

    Informational overridden

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden

  • Microsoft Office injects code into a process Low 5 variations

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned Microsoft Office injects code into a process

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to a non-standard PE section

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to an undeclared memory page

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process from an unsigned process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

  • Potential spoofing of internal domain spotted Informational Email

    An external sender is possibly impersonating an employee by spoofing the company's internal address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Employee Impersonation, Spear Phishing
    Attacker's goals: Get credentials for internal systems. Executing financial transfers from the company to the attacker's account. Extracting information outside the company. Encrypting critical information and demanding a ransom.
    Investigative actions: Check the received header path, especially the sender host. Check DMARC, SPF AND DKIM authentication results. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations

    This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type

    Informational overridden

    X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden

    Email identified by X-Forefront-Antispam-Report as a phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as impersonating internal communication

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden

    X-Forefront-Antispam-Report has strongly flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report has flagged this email as a bulk email

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden

    X-Forefront-Antispam-Report has flagged an internal email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden

    X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain

    Informational overridden

    This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden

    X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden