Possible Email collection using Outlook RPC

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Email Collection: Local Email Collection (T1114.001)

Severity

Informational

Description

Outlook was executed using RPC by an uncommon parent process, this may be an indication of email collection activities.

Attacker's Goals

An attacker is trying to perform email collection or manipulation using Outlook.

Investigative actions

Investigate the endpoint to determine if it's a legitimate process that is supposed to use Outlook in its operation to send or extract emails.