EMAIL BETA - Email attachment with multiple extensions

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-04-21

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags
ATT&CK Tactic	Execution (TA0002) Defense Evasion (TA0005)
ATT&CK Technique	User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
Severity	Informational

This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.

Deploy malicious attachments through emails to compromise systems or gain unauthorized access.

Check the file types and investigate the legitimacy of files intended to be sent via email.
Scrutinize the attachments for any suspicious indications.
Confirm whether the attachments were successfully delivered to the recipient's mailbox.
If the attachments were delivered successfully, verify whether the recipient downloaded them.
Check the email address for any unusual spellings or missing letters.
Verify the sender's address to confirm its legitimacy.
Check for previous emails from the sender's address.

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

This email includes an attachment with multiple extensions, the last one is executable related.

Deploy malicious attachments through emails to compromise systems or gain unauthorized access.

Check the file types and investigate the legitimacy of files intended to be sent via email.
Scrutinize the attachments for any suspicious indications.
Confirm whether the attachments were successfully delivered to the recipient's mailbox.
If the attachments were delivered successfully, verify whether the recipient downloaded them.
Check the email address for any unusual spellings or missing letters.
Verify the sender's address to confirm its legitimacy.
Check for previous emails from the sender's address.