Cisco Secure Email Threat Defense high number of threat emails sent by an internal user

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-email-threat-defense

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal:

Detects when a high volume of threat emails are sent by an internal user.

Strategy:

This rule monitors emails to detect multiple threat emails sent by an internal user. This includes the mail sent within your Microsoft 365 tenant or mail sent to recipients outside of your Microsoft 365 tenant.

Triage & Response:

  1. Investigate suspicious emails sent from the user {{@fromAddress}}.
  2. Identify the internal user(s) responsible for sending the threat emails. Determine if the emails were intentional or due to compromised credentials.
  3. Disable the internal user’s email account to prevent further sending of threat emails, if necessary.
  4. If possible, notify recipients who received the threat emails, advising them not to interact with any suspicious content and providing guidance on what to do if they have already done so.
  5. Take the required steps in accordance with company policies.
PREVIEWING: dgreen15/github-error-fix