Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
Exfiltration |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Identifies outbound emails that include links to file-sharing services sent externally.
Attacker's Goals
Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.
Investigative actions
- Review the shared URL to determine if the file is publicly accessible or shared outside the organization.
- Check if the file-sharing domain has been previously used by this sender or others in the organization.
- Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.
Variations
Outbound email to external recipient(s) uses first-seen for organization file-sharing serviceOutbound email to external recipient(s) uses first-seen for sender file-sharing service