Cisco Secure Email Threat Defense high number of threat emails sent by an internal user

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-email-threat-defense

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal:

Detects when a high volume of threat emails are sent by an internal user.

Strategy:

This rule monitors emails to detect multiple threat emails sent by an internal user. This includes the mail sent within your Microsoft 365 tenant or mail sent to recipients outside of your Microsoft 365 tenant.

Triage & Response:

  1. Investigate suspicious emails sent from the user {{@fromAddress}}.
  2. Identify the internal user(s) responsible for sending the threat emails. Determine if the emails were intentional or due to compromised credentials.
  3. Disable the internal user’s email account to prevent further sending of threat emails, if necessary.
  4. If possible, notify recipients who received the threat emails, advising them not to interact with any suspicious content and providing guidance on what to do if they have already done so.
  5. Take the required steps in accordance with company policies.
PREVIEWING: dgreen15/github-error-fix