EMAIL BETA - Email was received from an unknown sender address

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-04-07

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Office 365 Mail
Detection Modules	Email
Detector Tags
ATT&CK Tactic	Reconnaissance (TA0043) Initial Access (TA0001)
ATT&CK Technique	Phishing for Information (T1598) Phishing (T1566)
Severity	Informational

Description

An email was received from a sender for the first time.

Attacker's Goals

Trick recipients into downloading harmful payloads
Aim to gain unauthorized access to the organization's systems.

Investigative actions

Check the email address for any unusual spellings, missing letters, or unknown domains.
If the message contains attachments or links, scrutinize them for any suspicious indications.
Monitor further actions taken, such as file downloads or access to potentially malicious links.

Variations

EMAIL BETA - Email was received from an unknown domain in the organization's systems

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An email was received from a sender for the first time.
The domain of the email sender was first seen in the organization's email system, cloud, and SaaS audit logs within the past 30 days.

Attacker's Goals

Trick recipients into downloading harmful payloads
Aim to gain unauthorized access to the organization's systems.

Investigative actions

Check the email address for any unusual spellings, missing letters, or unknown domains.
If the message contains attachments or links, scrutinize them for any suspicious indications.
Monitor further actions taken, such as file downloads or access to potentially malicious links.

EMAIL BETA - Email was received from an unknown domain in the organization's email system

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An email was received from a sender for the first time.
The sender's domain was first seen in the organization's email system within the past 30 days.

Attacker's Goals

Trick recipients into downloading harmful payloads
Aim to gain unauthorized access to the organization's systems.

Investigative actions

Check the email address for any unusual spellings, missing letters, or unknown domains.
If the message contains attachments or links, scrutinize them for any suspicious indications.
Monitor further actions taken, such as file downloads or access to potentially malicious links.