EMAIL BETA - Potentially dangerous URL(s) in email

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-04-07

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	1 Day
Required Data	Requires:
Detection Modules	Email
Detector Tags
ATT&CK Tactic	Initial Access (TA0001) Execution (TA0002)
ATT&CK Technique	Phishing (T1566) User Execution (T1204)
Severity	Medium

Multiple factors indicating dangerous URL(s) have been spotted in an email conversation.

Trick the user into engaging with a URL(s), aiming to extract information/establish access to the network.

Analyze the URL(s) in a secure sandbox environment to detect possible malware or phishing attempts.
Review the emails headers, sender and content for patterns or anomalies.
Assess the email's context and attack techniques to determine the potential risk.
Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk.
Document and escalate findings in case this is a broader phenomenon.

ATT&CK Tactic

ATT&CK Technique

Severity

High

Multiple factors indicating dangerous URL(s) have been spotted in an email conversation.

Trick the user into engaging with a URL(s), aiming to extract information/establish access to the network.

Analyze the URL(s) in a secure sandbox environment to detect possible malware or phishing attempts.
Review the emails headers, sender and content for patterns or anomalies.
Assess the email's context and attack techniques to determine the potential risk.
Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk.
Document and escalate findings in case this is a broader phenomenon.