External email with a single internal recipient hidden in BCC

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-12-08

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags
ATT&CK Tactic	Execution (TA0002) Credential Access (TA0006)
ATT&CK Technique	User Execution (T1204) Brute Force: Password Cracking (T1110.002)
Severity	Informational

External email with mailbox owner hidden in BCC as the only internal recipient.

BCC enables sending the same email to multiple hidden recipients without revealing them to each other.

Review the headers and content for patterns or anomalies.
Assess the email's context and attack techniques to determine the potential risk.
Investigate if similar patterns have occurred recently across the organization.

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

External email with no visible recipients, mailbox owner is hidden in BCC.

BCC enables sending the same email to multiple hidden recipients without revealing them to each other.

Review the headers and content for patterns or anomalies.
Assess the email's context and attack techniques to determine the potential risk.
Investigate if similar patterns have occurred recently across the organization.