First-seen email from mailbox owner to external recipient's address in the last 30 days

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Microsoft 365 Emails

Detection Modules

Email

Detector Tags

Exfiltration, Account Takeover

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Internal sender initiated first-time communication with an external recipient in the last 30 days.

Attacker's Goals

  • Extracting valuable information outside the company.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

Variations

First-time email to the disposable domain

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Low

Description

Internal sender emailed to external address(es) with disposable domain.

Attacker's Goals

  • Extracting valuable information outside the company.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.


First-time email from organization's domain with the external recipient's domain in the last 30 days

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Internal sender emailed an external address belonging to a domain seen for the first time by the organization domain in the last 30 days.

Attacker's Goals

  • Extracting valuable information outside the company.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.


First-time email from organization with the external recipient in the last 30 days

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Internal sender emailed to external address(es) that first-seen by the the whole organization in the last 30 days.

Attacker's Goals

  • Extracting valuable information outside the company.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.


First-time email from organization's domain to the external recipient in the last 30 days

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Internal sender emailed to external address(es) that first-seen by the organization domain in the last 30 days.

Attacker's Goals

  • Extracting valuable information outside the company.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.


First-time email from mailbox owner to the external recipient's domain in the last 30 days

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Internal sender emailed to external address(es) with domain that first-seen by that sender in the last 30 days.

Attacker's Goals

  • Extracting valuable information outside the company.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.


First-time outbound email from mailbox owner to multiple external recipients without any internal recipients in the last 30 days

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Internal sender emailed first-time to multiple external recipients with no internal recipients included in the last 30 days.

Attacker's Goals

  • Extracting valuable information outside the company.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.


First-time email from mailbox owner to a single external recipient in the last 30 days

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

Internal sender emailed first-time to only one external recipient in the last 30 days.

Attacker's Goals

  • Extracting valuable information outside the company.

Investigative actions

  • Check the content of the email that were sent.
  • Review the external recipient address and assess its reputation.
  • Review past emails sent from this mailbox for any suspicious activity.
  • Check for unusual emails sent to this recipient's address.
  • Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.