Email contains URL delivering high-risk file type

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-12-08

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags	Malicious URLs
ATT&CK Tactic	Execution (TA0002) Credential Access (TA0006)
ATT&CK Technique	User Execution (T1204) Brute Force: Password Cracking (T1110.002)
Severity	Informational

Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.

To bypass attachment-based blocking by delivering malware or exploit payloads via URLs pointing to file types commonly blocked by email vendors.

Review the URLs and determine if they host executable or script-based content.
Check threat intelligence sources for reputation or known associations with malware.
Investigate whether any users clicked the URL or downloaded the file.
Analyze the file content using sandbox or static analysis tools.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.

To bypass attachment-based blocking by delivering malware or exploit payloads via URLs pointing to file types commonly blocked by email vendors.

Review the URLs and determine if they host executable or script-based content.
Check threat intelligence sources for reputation or known associations with malware.
Investigate whether any users clicked the URL or downloaded the file.
Analyze the file content using sandbox or static analysis tools.