Cloud email infrastructure enumeration activity

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-06-24

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
Severity	Informational

Description

A cloud identity attempted to discover available email sending resources within the cloud environment.
This may indicate an adversary attempting to map the organization's email sending environment and discover cloud resources that may assist to send phishing emails or spam.

Attacker's Goals

Map the cloud email environment and detect potential email resources to abuse.

Investigative actions

Check the identity's role designation in the organization.
Identify which available email resources were discovered.
Investigate if the discovered email resources were used to sending phishing emails or spam, or perform other attacks in the cloud environment.