Cisco Secure Email Threat Defense high number of threat emails received by an internal user

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-email-threat-defense

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects a high volume of threat emails received by an internal user.

Strategy

This rule monitors emails to detect a high number of threat emails received by an internal user. This includes mail received internally or mail received from outside the Microsoft 365 tenant.

Triage and response

  1. Investigate threat emails received by user {{@toAddresses}}.
  2. Notify the receiver about the threat emails received, advising them not to interact with any suspicious content and providing guidance on reporting such incidents.
  3. Conduct a detailed analysis of the threat emails to identify the source, method of delivery, and any potential payloads.
  4. If sensitive information was compromised or if the threat emails constitute a significant incident, report to relevant authorities or regulatory bodies as required.