Synopsis
Description
The email was sent from an external sender and contains minimal content.
Near-empty emails from external sources are uncommon and may be used to bypass content-based detection or prompt user interaction without clear context.
Attacker's Goals
Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).
Investigative actions
- Check the content of the body and whether it has any relevance to the recipients.
- Check the email address for any unusual spellings.
- Check the email address for any missing letters.
- Verify the sender's address to confirm its legitimacy.
- Check for previous emails from the sender's address.
- Verify whether the sender's IP address has appeared in different log sources before.
Variations
Blank email with an inline attachment from an external sender
Synopsis
Description
This email was sent from an external sender and contains no readable message content, but includes an inline attachment.
Empty emails with embedded content are often used to obscure the intent of the message and may be associated with phishing or malware delivery attempts.
Attacker's Goals
Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).
Investigative actions
- Check the content of the body and whether it has any relevance to the recipients.
- Check the email address for any unusual spellings.
- Check the email address for any missing letters.
- Verify the sender's address to confirm its legitimacy.
- Check for previous emails from the sender's address.
- Verify whether the sender's IP address has appeared in different log sources before.
Blank email with an attachment from an external sender
Synopsis
Description
The email was sent from an external sender and contains no message content while including an attachment.
Attachment-only emails from external sources can be used to entice recipients into opening potentially malicious files without contextual information.
Attacker's Goals
Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).
Investigative actions
- Check the content of the body and whether it has any relevance to the recipients.
- Check the email address for any unusual spellings.
- Check the email address for any missing letters.
- Verify the sender's address to confirm its legitimacy.
- Check for previous emails from the sender's address.
- Verify whether the sender's IP address has appeared in different log sources before.
Empty email from an external sender
Synopsis
Description
The email was sent from an external sender and contains no subject or message content.
While not always malicious, completely empty emails are unusual and may be part of reconnaissance, delivery testing, or social engineering activity.
Attacker's Goals
Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).
Investigative actions
- Check the content of the body and whether it has any relevance to the recipients.
- Check the email address for any unusual spellings.
- Check the email address for any missing letters.
- Verify the sender's address to confirm its legitimacy.
- Check for previous emails from the sender's address.
- Verify whether the sender's IP address has appeared in different log sources before.