AURL - An email was sent from a malicious domain

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-06-24
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

3 Days

Required Data

  • Requires:
    • Microsoft 365 Emails

Detection Modules

Email

Detector Tags

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

An email was sent from a domain classified by our systems as malicious.

Attacker's Goals

Perform a malicious action on the user, attempting to extract data/credentials/establish access to the network.

Investigative actions

  • Examine the sender's IP address and reputation.
  • Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
  • If the message contains attachments/links, scrutinize them for any suspicious indications.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.

Variations

AURL - An email was sent from a malicious domain

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

An email was sent from a domain classified by our systems as malicious.

Attacker's Goals

Perform a malicious action on the user, attempting to extract data/credentials/establish access to the network.

Investigative actions

  • Examine the sender's IP address and reputation.
  • Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
  • If the message contains attachments/links, scrutinize them for any suspicious indications.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.