Cisco Secure Email Threat Defense high number of threat emails received by an internal user

This rule is part of a beta feature. To learn more, contact Support.
cisco-secure-email-threat-defense

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

Set up the cisco-secure-email-threat-defense integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects a high volume of threat emails received by an internal user.

Strategy

This rule monitors emails to detect a high number of threat emails received by an internal user. This includes mail received internally or mail received from outside the Microsoft 365 tenant.

Triage and response

  1. Investigate threat emails received by user {{@toAddresses}}.
  2. Notify the receiver about the threat emails received, advising them not to interact with any suspicious content and providing guidance on reporting such incidents.
  3. Conduct a detailed analysis of the threat emails to identify the source, method of delivery, and any potential payloads.
  4. If sensitive information was compromised or if the threat emails constitute a significant incident, report to relevant authorities or regulatory bodies as required.
PREVIEWING: may/embedded-workflows