Potential spoofing of internal domain spotted

Cortex XDR Analytics Alert Reference by Alert name

Product: Cortex XDR
Last date published: 2026-03-10
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags	Employee Impersonation, Spear Phishing
ATT&CK Tactic	Initial Access (TA0001) Defense Evasion (TA0005)
ATT&CK Technique	Phishing (T1566) Impersonation (T1656)
Severity	Informational

Description

An external sender is possibly impersonating an employee by spoofing the company's internal address.

Attacker's Goals

Get credentials for internal systems.
Executing financial transfers from the company to the attacker's account.
Extracting information outside the company.
Encrypting critical information and demanding a ransom.

Investigative actions

Check the received header path, especially the sender host.
Check DMARC, SPF AND DKIM authentication results.
Verify whether the sender's IP address has appeared in different log sources before and its reputation.
If the message contains attachments or links, scrutinize them for any suspicious indications.
Monitor further actions taken, such as file downloads or access to potentially malicious links.