Sudden spike in outbound email volume

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-10

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	2 Hours
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags
ATT&CK Tactic	Execution (TA0002) Credential Access (TA0006)
ATT&CK Technique	User Execution (T1204) Brute Force: Password Cracking (T1110.002)
Severity	Informational

Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.

Check the content of the email that was sent.
Review the external recipient address and assess its reputation.
Review past emails sent from this mailbox for any suspicious activity.
Check for unusual emails sent to this recipient's address.
Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.

Check the content of the email that was sent.
Review the external recipient address and assess its reputation.
Review past emails sent from this mailbox for any suspicious activity.
Check for unusual emails sent to this recipient's address.
Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.

Check the content of the email that was sent.
Review the external recipient address and assess its reputation.
Review past emails sent from this mailbox for any suspicious activity.
Check for unusual emails sent to this recipient's address.
Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.