Cisco Secure Email Threat Defense high number of threat emails sent by an internal user

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-email-threat-defense

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal:

Detects when a high volume of threat emails are sent by an internal user.

Strategy:

This rule monitors emails to detect multiple threat emails sent by an internal user. This includes the mail sent within your Microsoft 365 tenant or mail sent to recipients outside of your Microsoft 365 tenant.

Triage & Response:

  1. Investigate suspicious emails sent from the user {{@fromAddress}}.
  2. Identify the internal user(s) responsible for sending the threat emails. Determine if the emails were intentional or due to compromised credentials.
  3. Disable the internal user’s email account to prevent further sending of threat emails, if necessary.
  4. If possible, notify recipients who received the threat emails, advising them not to interact with any suspicious content and providing guidance on what to do if they have already done so.
  5. Take the required steps in accordance with company policies.
PREVIEWING: dgreen15/github-error-fix