Unusual attachment volume in outbound emails

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Hour

Required Data

  • Requires:
    • Microsoft 365 Emails

Detection Modules

Email

Detector Tags

Exfiltration

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe.

Attacker's Goals

  • Extracting valuable information outside the company.
  • Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

Variations

Unusual attachment volume in outbound emails to a single external recipient

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Numerous emails with substantial attachments sent by internal sender to one external recipient within a short timeframe.

Attacker's Goals

  • Extracting valuable information outside the company.
  • Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.


Unusual attachment amount and size in outbound emails

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe.

Attacker's Goals

  • Extracting valuable information outside the company.
  • Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.