Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. tactic: TA0006 ✕ technique: T1204 ✕
Show ATT&CK heatmapEmail contains URL delivering high-risk file type Informational Email 1 variation
Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.Variations
External email with URL delivers blocked file types
Low overridden
Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden
External email with a single internal recipient hidden in BCC Informational Email 1 variation
External email with mailbox owner hidden in BCC as the only internal recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.Variations
External email with only a hidden internal BCC recipient
Informational overridden
External email with no visible recipients, mailbox owner is hidden in BCC. overridden
Moniker link detected in URL(s) Informational Email 2 variations
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user on clicking the link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
A suspicious Moniker link, SMB and suspicious extension detected
Medium overridden
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden
A suspicious Moniker link pointing to SMB detected
Low overridden
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden
Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations
Identifies outbound emails that include links to file-sharing services sent externally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.Variations
Outbound email to external recipient(s) uses first-seen for organization file-sharing service
Informational overridden
Identifies outbound emails that include links to file-sharing services sent externally. overridden
Outbound email to external recipient(s) uses first-seen for sender file-sharing service
Informational overridden
Identifies outbound emails that include links to file-sharing services sent externally. overridden
Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation
Internal sender BCC'd an external recipient whose address has not been observed in prior communications.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.Variations
Outbound email sent to an unknown external BCC recipient with no To or CC addresses
Low overridden
Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden
Outbound email to an address hosted by a public email service provider Informational Email 1 variation
Internal sender emailed to an address hosted by a public email service provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Exfiltration, Account TakeoverAttacker's goals: Extracting valuable information outside the company.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Outbound email to a single address hosted by a public email service provider
Informational overridden
Internal sender emailed to a single recipient with public email service provider. overridden
Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)Required data: AzureADAttacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.Variations
OAuth Token Theft - Potential Session Hijacking Detected from new ASN
Low overridden
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden
Sudden spike in outbound email volume Informational Email 2 variations
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 2 Hours
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Sudden spike in outbound emails sent to external recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Sudden spike in outbound emails sent to internal recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation
Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.Variations
Usage of homograph characters detected in an email attachment(s) extension
Low overridden
Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden