Check Point Harmony Email & Collaboration multiple phishing emails from external sender

This rule is part of a beta feature. To learn more, contact Support.
checkpoint-harmony-email-and-collaboration

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects when multiple phishing emails are received from an external sender within a short period, which may indicate an ongoing phishing campaign targeting users.

Strategy

This rule monitors inbound emails and raises an alert when multiple phishing emails originate from an external sender, potentially signalling a coordinated attack or a compromised sender account. Emails that are quarantined or deleted do not raise an alert.

Triage and Response

  1. Review the sender email address {{@event.entity.entity_payload.from_email}} to determine legitimacy.
  2. Quarantine or delete the detected phishing emails to prevent user interaction.
  3. Investigate if the sender is a compromised legitimate account or part of a larger phishing campaign.
  4. If confirmed malicious, begin the security incident response process.