Cisco Secure Email Threat Defense high number of threat emails received by an internal user

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-email-threat-defense

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

Goal

Detects a high volume of threat emails received by an internal user.

Strategy

This rule monitors emails to detect a high number of threat emails received by an internal user. This includes mail received internally or mail received from outside the Microsoft 365 tenant.

Triage and response

  1. Investigate threat emails received by user {{@toAddresses}}.
  2. Notify the receiver about the threat emails received, advising them not to interact with any suspicious content and providing guidance on reporting such incidents.
  3. Conduct a detailed analysis of the threat emails to identify the source, method of delivery, and any potential payloads.
  4. If sensitive information was compromised or if the threat emails constitute a significant incident, report to relevant authorities or regulatory bodies as required.
PREVIEWING: brett.blue/embedded-collector-release