Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0043 ✕ technique: T1589 ✕
Show ATT&CK heatmapNear-empty email from an external sender Informational Email 3 variations
The email was sent from an external sender and contains minimal content.Near-empty emails from external sources are uncommon and may be used to bypass content-based detection or prompt user interaction without clear context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Gather Victim Identity Information (T1589)Required data: Microsoft 365 EmailsDetector tags: ReconnaissanceAttacker's goals: Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).Investigative actions: Check the content of the body and whether it has any relevance to the recipients. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address. Verify whether the sender's IP address has appeared in different log sources before.Variations
Blank email with an inline attachment from an external sender
Informational overridden
This email was sent from an external sender and contains no readable message content, but includes an inline attachment.Empty emails with embedded content are often used to obscure the intent of the message and may be associated with phishing or malware delivery attempts. overridden
Blank email with an attachment from an external sender
Informational overridden
The email was sent from an external sender and contains no message content while including an attachment.Attachment-only emails from external sources can be used to entice recipients into opening potentially malicious files without contextual information. overridden
Empty email from an external sender
Informational overridden
The email was sent from an external sender and contains no subject or message content.While not always malicious, completely empty emails are unusual and may be part of reconnaissance, delivery testing, or social engineering activity. overridden