Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. technique: T1589 ✕

Show ATT&CK heatmap
  • Near-empty email from an external sender Informational Email 3 variations

    The email was sent from an external sender and contains minimal content.Near-empty emails from external sources are uncommon and may be used to bypass content-based detection or prompt user interaction without clear context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Gather Victim Identity Information (T1589)
    Required data: Microsoft 365 Emails
    Detector tags: Reconnaissance
    Attacker's goals: Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).
    Investigative actions: Check the content of the body and whether it has any relevance to the recipients. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address. Verify whether the sender's IP address has appeared in different log sources before.

    Variations

    Blank email with an inline attachment from an external sender

    Informational overridden

    This email was sent from an external sender and contains no readable message content, but includes an inline attachment.Empty emails with embedded content are often used to obscure the intent of the message and may be associated with phishing or malware delivery attempts. overridden

    Blank email with an attachment from an external sender

    Informational overridden

    The email was sent from an external sender and contains no message content while including an attachment.Attachment-only emails from external sources can be used to entice recipients into opening potentially malicious files without contextual information. overridden

    Empty email from an external sender

    Informational overridden

    The email was sent from an external sender and contains no subject or message content.While not always malicious, completely empty emails are unusual and may be part of reconnaissance, delivery testing, or social engineering activity. overridden