Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the mimecast integration.

Goal

Detect an email which contains a malicious attachment.

Strategy

Targeted Threat Protection - Attachment Protection is an advanced service that protects customers from the growing risk of spear phishing and other targeted attacks using email attachments. This rule can be used to detect and strip attachments from inbound messages that could potentially contain malicious code. For example, PDFs and Microsoft Office files.

For more details: Click here

Triage and response

1. Inspect the email for sender information {{@senderAddress}} and review the action taken by Mimecast {{@actionTriggered}}.
2. If the attachment was not blocked or removed, quarantine the email and conduct a thorough analysis of the attachment.
3. Execute the company’s incident response protocol, which may include:
   • Notifying the intended recipient and warning against opening the attachment.
   • Scanning affected systems for malware.
   • Updating security filters to detect and block similar threats in the future.