Unusual sender IP subnet

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Microsoft 365 Emails

Detection Modules

Email

Detector Tags

Spoofing

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impersonation (T1656)

Severity

Informational

Description

This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days.

Attacker's Goals

Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.

Investigative actions

  • Review the email's received headers, to trace its path and spot spoofing signs.
  • Examine the sender's IP address and domain reputation.
  • Closely inspect the email content for malicious links, attachments, or requests for sensitive information.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.

Variations

Unusual sender IP subnet associated with infrastructure or tunneling services

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impersonation (T1656)

Severity

Informational

Description

This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days.

Attacker's Goals

Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.

Investigative actions

  • Review the email's received headers, to trace its path and spot spoofing signs.
  • Examine the sender's IP address and domain reputation.
  • Closely inspect the email content for malicious links, attachments, or requests for sensitive information.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.


Unusual sender IP subnet associated with internal sender

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impersonation (T1656)

Severity

Informational

Description

This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days.

Attacker's Goals

Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.

Investigative actions

  • Review the email's received headers, to trace its path and spot spoofing signs.
  • Examine the sender's IP address and domain reputation.
  • Closely inspect the email content for malicious links, attachments, or requests for sensitive information.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.