Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

6 alerts match the current filters. technique: T1598 ✕

Show ATT&CK heatmap
  • Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values Informational Email 4 variations

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Spam
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email with high Spam Confidence Level and Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with high Spam Confidence Level or Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with medium Spam Confidence Level and Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with medium Spam Confidence Level or Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

  • Email was received from an unknown address using a public provider domain Informational Email

    The email was received from an unknown address, that was seen for the first time in the organization in the past month, and registered under a public provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email was received from an unknown sender using a disposable domain Low Email

    The email was received from an unknown sender using a disposable email provider, first seen in the organization in the past month.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rarely seen sender address in the organization Informational Email

    An email was received from a sender that has not been observed in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rarely seen sender domain in the organization Informational Email

    An email was received from a domain that has not been observed in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Unusual display name in From header Informational Email 2 variations

    An email was detected with an unusual display name in the From header.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Evade defenses and hide potential malicious data inside the email display name.
    Investigative actions: Analyze the email further to determine the source of the anomaly and what can be done about it.

    Variations

    Unusual display name in the From header containing an embedded URL

    Low overridden

    An email was detected with an unusual sender display name in the From header containing an embedded URL. overridden

    Unusual display name in the From header that is identical to the email address

    Informational overridden

    An email was detected where the display name in the From header is unusual and matches the sender email address. overridden