EMAIL BETA - Email suspicious Moniker link detected

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-04-07

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	3 Days
Required Data	Requires one of the following data sources: Gmail Email Log OR Office 365 Mail
Detection Modules	Email
Detector Tags
ATT&CK Tactic	Execution (TA0002) Credential Access (TA0006)
ATT&CK Technique	User Execution (T1204) Brute Force: Password Cracking (T1110.002)
Severity	Informational

Description

A Moniker link was detected within the email's body.
The link has a convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.

Attacker's Goals

Trick the user on clicking the link, while avoiding detection.

Investigative actions

Examine the sender's IP address and reputation.
Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
If the message contains attachments/links, scrutinize them for any suspicious indications.
Monitor further actions taken, such as file downloads or access to potentially malicious links.

Variations

EMAIL BETA - Email suspicious Moniker link, SMB and suspicious extension detected

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A Moniker link was detected within the email's body.
The link has a convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.

Attacker's Goals

Trick the user on clicking the link, while avoiding detection.

Investigative actions

Examine the sender's IP address and reputation.
Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
If the message contains attachments/links, scrutinize them for any suspicious indications.
Monitor further actions taken, such as file downloads or access to potentially malicious links.

EMAIL BETA - Email suspicious Moniker link pointing to SMB detected

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A Moniker link was detected within the email's body.
The link has a convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.

Attacker's Goals

Trick the user on clicking the link, while avoiding detection.

Investigative actions

Examine the sender's IP address and reputation.
Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
If the message contains attachments/links, scrutinize them for any suspicious indications.
Monitor further actions taken, such as file downloads or access to potentially malicious links.