Suspicious activity indicating a potential abuse of a cloud-native email service

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

3 Hours

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

Low

Description

A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.

Attacker's Goals

Adversaries may use cloud-based email services to send phishing or spread malware, abusing legitimate email domains.

Investigative actions

  • Check if the identity intended to preform these actions, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

Variations

Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery, weaponization, and impact

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

High

Description

A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.
The behavior that was observed included discovery operations, attack preparation and actual email sending.
These activities might indicate an intent to abuse the email service to send phishing or spam.

Attacker's Goals

Adversaries may use cloud-based email services to send phishing or spread malware, abusing legitimate email domains.

Investigative actions

  • Check if the identity intended to preform these actions, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).


Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery and weaponization

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

Medium

Description

A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.
The behavior that was observed included discovery operations and attack weaponization.
These activities might indicate an intent to abuse the email service to send phishing or spam.

Attacker's Goals

Adversaries may use cloud-based email services to send phishing or spread malware, abusing legitimate email domains.

Investigative actions

  • Check if the identity intended to preform these actions, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).