EMAIL BETA - Email has a short body or subject and was sent from an external source

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-04-21
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Microsoft 365 Emails

Detection Modules

Email

Detector Tags

ATT&CK Tactic

Reconnaissance (TA0043)

ATT&CK Technique

Gather Victim Identity Information (T1589)

Severity

Informational

Description

The properties described above may or may not indicate a reconnaissance attempt. Reconnaissance messages are used to check if a recipient's email address is valid, often as a first step before launching an attack.

Attacker's Goals

Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).

Investigative actions

  • Check the content of the body, and whether it has any relevance to the recipients.
  • Check the email address for any unusual spellings.
  • Check the email address for any missing letters.
  • Verify the sender's address to confirm its legitimacy.
  • Check for previous emails from the sender's address.
  • Verify whether the sender's IP address has appeared in different log sources before.

Variations

EMAIL BETA - Email has empty body and subject and was sent from an external source

Synopsis

ATT&CK Tactic

Reconnaissance (TA0043)

ATT&CK Technique

Gather Victim Identity Information (T1589)

Severity

Informational

Description

The properties described above may or may not indicate a reconnaissance attempt. Reconnaissance messages are used to check if a recipient's email address is valid, often as a first step before launching an attack.

Attacker's Goals

Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).

Investigative actions

  • Check the content of the body, and whether it has any relevance to the recipients.
  • Check the email address for any unusual spellings.
  • Check the email address for any missing letters.
  • Verify the sender's address to confirm its legitimacy.
  • Check for previous emails from the sender's address.
  • Verify whether the sender's IP address has appeared in different log sources before.


EMAIL BETA - Email has empty body or subject and was sent from an external source

Synopsis

ATT&CK Tactic

Reconnaissance (TA0043)

ATT&CK Technique

Gather Victim Identity Information (T1589)

Severity

Informational

Description

The properties described above may or may not indicate a reconnaissance attempt. Reconnaissance messages are used to check if a recipient's email address is valid, often as a first step before launching an attack.

Attacker's Goals

Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).

Investigative actions

  • Check the content of the body, and whether it has any relevance to the recipients.
  • Check the email address for any unusual spellings.
  • Check the email address for any missing letters.
  • Verify the sender's address to confirm its legitimacy.
  • Check for previous emails from the sender's address.
  • Verify whether the sender's IP address has appeared in different log sources before.