Check Point Harmony Email & Collaboration malware file shared by user in internal email

This rule is part of a beta feature. To learn more, contact Support.
checkpoint-harmony-email-and-collaboration

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1080-taint-shared-content

Goal

Detects when a user uploads or shares malware-infected files within Office 365 or Google Mail. This activity may indicate a compromised account, an insider threat, or an attempt to distribute malware within the organization.

Strategy

This rule monitors file sharing activities within Office 365 and Google Mail, raising an alert when a user sends a file identified as malicious internally. This ensures alerting on potential spread of malware within the organization.

Triage and Response

  1. Review the user’s account {{@event.security_event.saas_info.saas_actor_payload.email}} and analyze the flagged files.
  2. Quarantine or delete the malicious files {{@event.entity.entity_payload.file_name}} to prevent access or further distribution.
  3. Restrict the user’s ability to upload or share files temporarily if malicious activity is confirmed.
  4. If the activity appears intentional or part of a larger attack, escalate for investigation, reset credentials, and monitor for further suspicious behavior.