SAAS - Email was reported by the user or administrator as a phishing attempt

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Email

Detector Tags

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Email Collection (T1114)

Severity

Informational

Description

An email reported by the user or administrator as a phishing attempt has been detected.

Attacker's Goals

Trick the user into interacting with a malicious email by disguising it as legitimate, potentially leading to credential theft, malware infection, or data exfiltration.

Investigative actions

  • Analyze the sender's IP address and domain reputation.
  • Check if the sender has appeared in other logs or alerts across the organization.
  • Review any URLs or attachments for signs of phishing, malware, or command-and-control communication.
  • Correlate user actions (e.g., link clicks, file downloads) to assess potential compromise.
  • Determine whether similar emails were sent to other users to identify a broader campaign.

Variations

SAAS - Phishing report with suspicious verdict on an internal user's email

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Email Collection (T1114)

Severity

Low

Description

An email sent by an internal user was reported by a recipient or administrator as a phishing attempt.This may indicate a compromised account.

Attacker's Goals

Trick the user into interacting with a malicious email by disguising it as legitimate, potentially leading to credential theft, malware infection, or data exfiltration.

Investigative actions

  • Analyze the sender's IP address and domain reputation.
  • Check if the sender has appeared in other logs or alerts across the organization.
  • Review any URLs or attachments for signs of phishing, malware, or command-and-control communication.
  • Correlate user actions (e.g., link clicks, file downloads) to assess potential compromise.
  • Determine whether similar emails were sent to other users to identify a broader campaign.


SAAS - Phishing report with with suspicious verdict

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Email Collection (T1114)

Severity

Low

Description

An email with a Malware/Block verdict reported by the user or administrator has been detected.

Attacker's Goals

Trick the user into interacting with a malicious email by disguising it as legitimate, potentially leading to credential theft, malware infection, or data exfiltration.

Investigative actions

  • Analyze the sender's IP address and domain reputation.
  • Check if the sender has appeared in other logs or alerts across the organization.
  • Review any URLs or attachments for signs of phishing, malware, or command-and-control communication.
  • Correlate user actions (e.g., link clicks, file downloads) to assess potential compromise.
  • Determine whether similar emails were sent to other users to identify a broader campaign.