EMAIL BETA - Email Punycode characters in URL

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-04-07
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	3 Days
Required Data	Requires: Office 365 Mail
Detection Modules	Email
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005) Execution (TA0002)
ATT&CK Technique	Masquerading (T1036) User Execution (T1204)
Severity	Informational

Description

Punycode character(s) detected within the email's URL.

Attacker's Goals

Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.

Investigative actions

Examine the sender's IP address and reputation.
Check the email address and content for any unusual spellings, missing letters, or unknown domains.
If the message contains attachments/links, scrutinize them for any suspicious indications.
Monitor further actions taken, such as file downloads or access to potentially malicious links.