Quarantined email released to recipients

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-06-15
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour 30 Minutes

Required Data

  • Requires:
    • Microsoft 365 Emails

Detection Modules

Email

Detector Tags

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Informational

Description

This message was previously quarantined by vendor and has now been released and delivered to the intended recipients.

Attacker's Goals

Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.

Investigative actions

  • Examine email headers to trace origins and check for signs of spoofing.
  • Analyze the email content for spam indicators like suspicious links and aggressive marketing language.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.

Variations

Repeated quarantine releases to mailbox from previously quarantined sender

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the mailbox has received multiple quarantined messages and the sender has been quarantined several times over the past 30 days.

Attacker's Goals

Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.

Investigative actions

  • Examine email headers to trace origins and check for signs of spoofing.
  • Analyze the email content for spam indicators like suspicious links and aggressive marketing language.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.


Repeated quarantine releases from previously quarantined sender

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the sender has been quarantined multiple times over the past 30 days.

Attacker's Goals

Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.

Investigative actions

  • Examine email headers to trace origins and check for signs of spoofing.
  • Analyze the email content for spam indicators like suspicious links and aggressive marketing language.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.


Repeated quarantine-released emails received by mailbox

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

This mailbox has repeatedly received messages over the past 30 days that were quarantined by vendor and later released and delivered to the recipient.

Attacker's Goals

Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.

Investigative actions

  • Examine email headers to trace origins and check for signs of spoofing.
  • Analyze the email content for spam indicators like suspicious links and aggressive marketing language.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.