Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An email with a subject line or body that includes signs of a reply or forward without an actual ongoing conversation.
Attacker's Goals
Create the illusion of being part of an existing email conversation to build trust and reduce the target's suspicion, mislead recipients by concealing harmful intents such as phishing or malware distribution.
Investigative actions
- Analyze the full set of email headers to confirm the absence of legitimate References and In-Reply-To headers and verify if the email was altered or forged.
- Investigate if the sender's domain is known, flagged, or associated with suspicious activity to detect possible impersonation.
- If the message contains attachments/links, scrutinize them for any suspicious indications.
- Monitor further actions taken, such as file downloads or access to potentially malicious links.