Cloud email sending was enabled

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-06-24
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Resource Development (TA0042)

ATT&CK Technique

Compromise Accounts: Email Accounts (T1586.002)

Severity

Informational

Description

Cloud email sending was enabled for the cloud account.

Attacker's Goals

Use the existing account to send phishing or spread malware.

Investigative actions

  • Check if the identity has performed any email-related operations in the past.
  • Check if this account should be used for email sending.

Variations

Cloud email sending was enabled by an unusual identity

Synopsis

ATT&CK Tactic

Resource Development (TA0042)

ATT&CK Technique

Compromise Accounts: Email Accounts (T1586.002)

Severity

Low

Description

Cloud email sending was enabled for the cloud account.
The identity was not seen performing any operations in SES in the last 30 days.

Attacker's Goals

Use the existing account to send phishing or spread malware.

Investigative actions

  • Check if the identity has performed any email-related operations in the past.
  • Check if this account should be used for email sending.