Forcepoint Security Service Edge high volume of emails from a sender

This rule is part of a beta feature. To learn more, contact Support.
forcepoint-security-service-edge

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

Set up the forcepoint-security-service-edge integration.

Goal

Identify and respond to incidents where a high volume of emails are sent from a single sender, which may indicate spam activity, compromised accounts, or policy violations.

Strategy

Monitor Forcepoint SSE logs for high email volumes from individual senders.

Triage and Response

  1. Review the log details to identify the sender - {{@emailfrom}} responsible for the high email volume.
  2. Confirm whether the sender is an internal user, an authorized external contact, or an unknown entity and also check for any recent changes to the sender’s account, such as password resets or suspicious login locations.
  3. Analyze the content and recipients of the emails to determine if they align with normal business activity.
  4. Cross-check the sender’s recent activity logs for other anomalies, such as unusual login times or IP addresses and determine if the activity was intentional (e.g., a legitimate bulk email campaign) or accidental (e.g., a misconfiguration).
  5. If the sender is an internal user and the activity is suspicious, disable the account temporarily and strengthen authentication measures (e.g., multi-factor authentication) for user accounts.