Analytics Alerts
Browse the Cortex analytics alert reference.
12 alerts match the current filters. technique: T1656 ✕
Show ATT&CK heatmapExternal email display name impersonation of internal personnel Informational Email 1 variation
The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
External email display name impersonation of internal personnel, using a public provider
Informational overridden
The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user. overridden
Potential spoofing of internal domain spotted Informational Email
An external sender is possibly impersonating an employee by spoofing the company's internal address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Phishing (T1566) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: Get credentials for internal systems. Executing financial transfers from the company to the attacker's account. Extracting information outside the company. Encrypting critical information and demanding a ransom.Investigative actions: Check the received header path, especially the sender host. Check DMARC, SPF AND DKIM authentication results. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Suspicious DKIM Result Informational Email 4 variations
The email contains a suspicious DKIM entry, showing either an unexpected verification result (none, fail, or policy) or a mismatched signing domain, which may indicate potential tampering or spoofing activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation, and check why DKIM didn't pass. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Known domain DKIM deviation
Informational overridden
An email was sent from a commonly seen domain in the organization, that has historically passed DKIM checks, but returned a suspicious DKIM result of fail This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden
Lack DKIM signature from typically signing domains
Informational overridden
An email was sent from a domain that has historically passed DKIM checks, but returned a suspicious DKIM result of none A none DKIM result implies on an unsigned email, which is atypical for domains with previous signed messages. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden
DKIM results lacking sender correlation
Informational overridden
The email's authentication results have no indication of proper signing from the email's sender This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. overridden
Known domain suspicious DKIM result
Informational overridden
An email was sent from a commonly seen domain that had no other suspicious DKIM outcomes for the past 30 days. This may indicate an attempt to spoof or impersonate a legitimate external sender. overridden
Suspicious DMARC result Informational Email 3 variations
The email has a suspicious DMARC result of either fail or none, which may indicate a potential domain misconfiguration or spoofing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Trick users into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Check the reason DMARC didn't pass and the action. Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
DMARC deviation from historically compliant domain
Informational overridden
This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DMARC outcome from a previously trusted external domain warrants further investigation. overridden
DMARC failure bypassed domain policy
Informational overridden
This indicates the message should have been rejected according to the domain owner policy, but was instead accepted and delivered, potentially exposing the user to email spoofing or phishing. This suggests a potential policy bypass or misconfiguration in mail filtering. overridden
DMARC failed with non-enforcing policy
Informational overridden
This may indicate an overly permissive DMARC configuration on the sender side and could allow unauthenticated messages to reach users' inboxes. Such configurations are often exploited in phishing or spoofing campaigns, and should be treated with caution. overridden
Suspicious SPF Result Informational Email 3 variations
The email has a suspicious SPF result of fail, soft fail, or policy, which may indicate a potential domain misconfiguration or spoofing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Trick users into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify the domain's connection to the IP address and investigate the reason SPF didn't pass. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Internal domain SPF deviation
Informational overridden
An email was sent from an internal root domain that has historically passed SPF checks, but returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. This deviation may indicate an attempt to spoof or impersonate a trusted internal sender, a tactic commonly associated with BEC and internal phishing. Such a sudden SPF outcome from a typically trusted domain warrants further investigation. overridden
Known domain SPF deviation
Informational overridden
An email was sent from a commonly seen domain that has historically passed SPF checks, but returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such a sudden SPF outcome from a previously trusted external domain warrants further investigation. overridden
Known domain unusual SPF result
Informational overridden
A commonly seen root domain has returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. While other suspicious SPF outcomes may have occurred previously for this domain, this is the first instance of this particular SPF result. Such a shift in SPF behavior may signal evolving abuse tactics, domain misconfiguration, or an attempted spoof using unauthorized infrastructure. overridden
Suspicious Unicode character detected in email Informational Email 3 variations
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Embedding suspicious Unicode characters in the email to appear legitimate, evade security filters and bypass detection mechanisms.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Phishing terms obfuscation using Unicode characters detected in email
Low overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Words obfuscation using Unicode characters detected in email
Informational overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Multiple suspicious Unicode characters detected in email
Informational overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Unusual hostname for the sending mail server in the email headers Informational Email
The detected mail server hostname had not been observed in the organization's emails in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.Unusual sender IP subnet Informational Email 2 variations
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Unusual sender IP subnet associated with infrastructure or tunneling services
Informational overridden
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden
Unusual sender IP subnet associated with internal sender
Informational overridden
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden
Usage of homograph characters detected in an email Informational Email
Detected characters resembling Latin letters within an email's subject and/or body.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656) Masquerading (T1036)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Usage of homograph characters detected in an email's from header Informational Email
Detected characters resembling Latin letters within an email's From header.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Well-known brand in sender headers with header inconsistencies Informational Email
Sender headers include a well-known brand with header inconsistencies indicating possible impersonation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Brand ImpersonationAttacker's goals: Impersonate known legitimate brands or other technological entities to trick recipients into disclosing information or executing malicious code unwillingly.Investigative actions: Identify the specific emails responsible for the accumulation of these alerts. Review their headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Review the email headers and metadata of each flagged email to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk. Document and escalate findings in case this is a broader phenomenon.X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations
This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type
Informational overridden
X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden
Email identified by X-Forefront-Antispam-Report as a phishing attempt
Informational overridden
X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt
Informational overridden
X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as impersonating internal communication
Informational overridden
X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden
X-Forefront-Antispam-Report has strongly flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report has flagged this email as a bulk email
Informational overridden
X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden
X-Forefront-Antispam-Report has flagged an internal email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden
X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain
Informational overridden
This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden
X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques
Informational overridden
X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden