Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the mimecast integration.

Goal

Detect when Mimecast identifies a phishing email.

Strategy

Targeted Threat Protection - Impersonation Protect tackles the increasing threat of socially engineered “whaling” attacks. This rule can used to detect an email which contains impersonation attempts that have been flagged as external and malicious with definition as phishing.

For more details: Click here

Triage and response

1. Investigate the suspected phishing email, including sender information, email content, and any attachments.
2. Verify whether sensitive information has been compromised and assess the impact.
3. Apply appropriate remediation steps according to the company’s incident response policy, which may include:
   • Marking the email as phishing and reporting it to your security team.
   • Investgate sender: {{@senderAddress}} or blocking the sender’s email address.
   • Notifying potentially affected users and providing guidance on next steps.
   • Updating email filters and security measures to prevent similar attacks.