Mimecast Alert: malicious URL clicked by user

This rule is part of a beta feature. To learn more, contact Support.

Set up the mimecast integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

To detect and alert when an email contains a malicious URL, potentially indicating a phishing attempt or other security threat.

Strategy

This rule identifies emails transiting through the organization’s email gateway that contain URLs classified as malicious under a ttp definition {{@ttpDefinition}}. These URLs may be part of phishing campaigns, malware distribution, or other malicious activities.

Triage and response

  1. Investigate the email source and content, focusing on the sender’s IP address: {{@senderIPAddress}}.
  2. Check the URL against known threat databases and analyse the email for other indicators of compromise.
  3. Follow the organization’s incident response protocol, which may include:
    • Isolating the email to prevent further spread.
    • Notifying affected users and guiding them on how to proceed.
    • Updating security filters to catch similar future attempts.