Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Outlook was executed using RPC by an uncommon parent process, this may be an indication of email collection activities.
Attacker's Goals
An attacker is trying to perform email collection or manipulation using Outlook.
Investigative actions
Investigate the endpoint to determine if it's a legitimate process that is supposed to use Outlook in its operation to send or extract emails.