Mimecast Alert: malicious URL clicked by user

This rule is part of a beta feature. To learn more, contact Support.
mimecast

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

Set up the mimecast integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

To detect and alert when an email contains a malicious URL, potentially indicating a phishing attempt or other security threat.

Strategy

This rule identifies emails transiting through the organization’s email gateway that contain URLs classified as malicious under a ttp definition {{@ttpDefinition}}. These URLs may be part of phishing campaigns, malware distribution, or other malicious activities.

Triage and response

  1. Investigate the email source and content, focusing on the sender’s IP address: {{@senderIPAddress}}.
  2. Check the URL against known threat databases and analyse the email for other indicators of compromise.
  3. Follow the organization’s incident response protocol, which may include:
    • Isolating the email to prevent further spread.
    • Notifying affected users and guiding them on how to proceed.
    • Updating security filters to catch similar future attempts.