EMAIL BETA - Potential employee impersonation in email with financial or urgent context

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-04-21
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires:

Detection Modules

Email

Detector Tags

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

An email potentially attempting to impersonate an internal employee, with financial or urgency context, was detected.

Attacker's Goals

Exploit trust relationships within the organization, to manipulate sensitive users into taking urgent actions, such as disclosing confidential information, transferring funds or clicking a malicious link.

Investigative actions

  • Identify the specific emails responsible for the accumulation of these alerts.
  • Review their headers and content for patterns or anomalies.
  • Assess the email's context and attack techniques to determine the potential risk.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk.
  • Document and escalate findings in case this is a broader phenomenon.

Variations

EMAIL BETA - Potential employee impersonation with financial or urgent context sent to a sensitive user

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Medium

Description

  • Detection of potential employee impersonation involving financial or urgent requests targeting sensitive users (e.g., executives, finance team members, or employees with elevated access), indicating a possible phishing or social engineering attempt.

Attacker's Goals

Exploit trust relationships within the organization, to manipulate sensitive users into taking urgent actions, such as disclosing confidential information, transferring funds or clicking a malicious link.

Investigative actions

  • Identify the specific emails responsible for the accumulation of these alerts.
  • Review their headers and content for patterns or anomalies.
  • Assess the email's context and attack techniques to determine the potential risk.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk.
  • Document and escalate findings in case this is a broader phenomenon.