Outbound email includes an external BCC recipient observed for the first time

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-12-08

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags	Exfiltration
ATT&CK Tactic	Execution (TA0002) Credential Access (TA0006)
ATT&CK Technique	User Execution (T1204) Brute Force: Password Cracking (T1110.002)
Severity	Informational

Internal sender BCC'd an external recipient whose address has not been observed in prior communications.

Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.

Review headers and content for anomalies or potential exposure of sensitive data.
Assess the email's context and attack techniques to determine the potential risk.
Investigate if similar patterns have occurred recently across the organization.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Internal sender BCC'd an external recipient whose address has not been observed in prior communications.

Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.

Review headers and content for anomalies or potential exposure of sensitive data.
Assess the email's context and attack techniques to determine the potential risk.
Investigate if similar patterns have occurred recently across the organization.