Analytics Alerts
Browse the Cortex analytics alert reference.
6 alerts match the current filters. technique: T1598 ✕
Show ATT&CK heatmapEmail marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values Informational Email 4 variations
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: SpamAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Email with high Spam Confidence Level and Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with high Spam Confidence Level or Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with medium Spam Confidence Level and Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with medium Spam Confidence Level or Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email was received from an unknown address using a public provider domain Informational Email
The email was received from an unknown address, that was seen for the first time in the organization in the past month, and registered under a public provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email was received from an unknown sender using a disposable domain Low Email
The email was received from an unknown sender using a disposable email provider, first seen in the organization in the past month.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rarely seen sender address in the organization Informational Email
An email was received from a sender that has not been observed in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rarely seen sender domain in the organization Informational Email
An email was received from a domain that has not been observed in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Unusual display name in From header Informational Email 2 variations
An email was detected with an unusual display name in the From header.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Evade defenses and hide potential malicious data inside the email display name.Investigative actions: Analyze the email further to determine the source of the anomaly and what can be done about it.Variations
Unusual display name in the From header containing an embedded URL
Low overridden
An email was detected with an unusual sender display name in the From header containing an embedded URL. overridden
Unusual display name in the From header that is identical to the email address
Informational overridden
An email was detected where the display name in the From header is unusual and matches the sender email address. overridden