Risk indicators detected in email

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

2 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • Microsoft 365 Emails

Detection Modules

Email

Detector Tags

Phishing

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

The email contains risk indicators correlated to an imminent threat.

Attacker's Goals

Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.

Investigative actions

  • Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming.
  • Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk.
  • Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.

Variations

Potential Brand Impersonation has been detected

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Medium

Description

Behaviors in the email suggestive of brand impersonation involve the calculated mimicry of established brand communications integrated with suspicious transmission characteristics, deliberately orchestrated to subvert recipient vigilance and promote harmful engagement.

Attacker's Goals

Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.

Investigative actions

  • Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming.
  • Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk.
  • Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.


Potential Phishing has been detected

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Medium

Description

Behaviors in the email typical of generic phishing are marked by the systematic reconstitution of widely distributed messages that impersonate authentic sources, all designed to circumvent conventional filtering protocols and prompt the unguarded disclosure of sensitive data.

Attacker's Goals

Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.

Investigative actions

  • Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming.
  • Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk.
  • Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.


Potential Spear Phishing has been detected

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Medium

Description

Behaviors in the email characteristic of spear phishing involve the deliberate crafting of highly personalized messages designed to impersonate trusted entities, enabling attackers to bypass security controls and exploit individual recipient vulnerabilities.

Attacker's Goals

Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.

Investigative actions

  • Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming.
  • Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk.
  • Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.


Potential Business Email Compromise has been detected

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Medium

Description

Behaviors in the email indicative of Business Email Compromise involve the strategic reassembly of communications that mirror trusted executive correspondences, purposefully engineered to bypass internal security protocols and facilitate unauthorized financial directives.

Attacker's Goals

Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.

Investigative actions

  • Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming.
  • Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk.
  • Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.