Outbound email to an address hosted by a public email service provider

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-10

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags	Exfiltration, Account Takeover
ATT&CK Tactic	Execution (TA0002) Credential Access (TA0006)
ATT&CK Technique	User Execution (T1204) Brute Force: Password Cracking (T1110.002)
Severity	Informational

Internal sender emailed to an address hosted by a public email service provider.

Check the content of the email that was sent.
Review the external recipient address and assess its reputation.
Review past emails sent from this mailbox for any suspicious activity.
Check for unusual emails sent to this recipient's address.
Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Internal sender emailed to a single recipient with public email service provider.

Check the content of the email that was sent.
Review the external recipient address and assess its reputation.
Review past emails sent from this mailbox for any suspicious activity.
Check for unusual emails sent to this recipient's address.
Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.