Sending unusual file(s) to an external address

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-11-12
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags	Exfiltration
ATT&CK Tactic	Initial Access (TA0001) Exfiltration (TA0010)
ATT&CK Technique	Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)
Severity	Informational

Description

Unusual files sent to an external address.

Attacker's Goals

Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services.
Extracting valuable information outside the company.

Investigative actions

Check the content of the unusual files that were sent.
Review the external recipient address and assess its reputation.
Review past emails sent from this mailbox for any suspicious activity.
Check for unusual emails sent to this recipient's address.
Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.