Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
Employee Impersonation, Spear Phishing |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An email was received from an address using an internal domain, but the sender is not found in Active Directory. This may indicate an impersonation attempt or domain spoofing.
Attacker's Goals
The attacker aims to impersonate an internal user to gain trust, bypass security controls, and potentially extract sensitive information or distribute malicious content through internal-looking emails.
Investigative actions
- Verify if the sender address exists in Active Directory.
- Check historical email activity from the spoofed address.
- Review email headers for spoofing indicators (SPF, DKIM, DMARC failures).
- Identify if recipients engaged with the email (clicked links, downloaded attachments).
- Correlate with other alerts involving the same sender or domain.