For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-ac6.md. A documentation index is available at /llms.txt.

Check Point Harmony Email & Collaboration malware attachments in email received by user

This rule is part of a beta feature. To learn more, contact Support.
checkpoint-harmony-email-and-collaboration

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1036-masquerading

Goal

Detects when emails containing malware attachments are received from an external sender, which may indicate a malware distribution campaign or a compromised sender attempting to spread malicious payloads.

Strategy

This rule monitors inbound emails and raises an alert when emails with malware attachments originate from an external sender, suggesting a targeted attack or widespread malware distribution.

Triage and Response

  1. Review the sender email address {{@event.entity.entity_payload.from_email}} and analyze the malware attachments.
  2. Quarantine or delete the detected emails to prevent users from opening malicious attachments.
  3. Notify affected users and begin a security incident response process to investigate engagement with attachment and endpoint activity.