Check Point Harmony Email & Collaboration malware file shared by user in internal email

This rule is part of a beta feature. To learn more, contact Support.
checkpoint-harmony-email-and-collaboration

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1080-taint-shared-content

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when a user uploads or shares malware-infected files within Office 365 or Google Mail. This activity may indicate a compromised account, an insider threat, or an attempt to distribute malware within the organization.

Strategy

This rule monitors file sharing activities within Office 365 and Google Mail, raising an alert when a user sends a file identified as malicious internally. This ensures alerting on potential spread of malware within the organization.

Triage and Response

  1. Review the user’s account {{@event.security_event.saas_info.saas_actor_payload.email}} and analyze the flagged files.
  2. Quarantine or delete the malicious files {{@event.entity.entity_payload.file_name}} to prevent access or further distribution.
  3. Restrict the user’s ability to upload or share files temporarily if malicious activity is confirmed.
  4. If the activity appears intentional or part of a larger attack, escalate for investigation, reset credentials, and monitor for further suspicious behavior.