Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the mimecast integration.

Goal

To identify and alert on emails that contain user responses to impersonation messages, indicating a successful impersonation attempt.

Strategy

This rule detects an email which contains impersonation attempts that have been flagged as external and malicious but have not been blocked or taken any action upon.

Triage and response

1. Verify the nature of the user’s response to the impersonation email and assess the potential impact.
2. Examine the sender’s details using {{@senderIPAddress}} to determine the source and legitimacy.
3. Execute the company’s incident response protocol, which may include:
   • Alerting the affected user and providing education on recognizing impersonation attempts.
   • Revoking any credentials or access provided in response to the phishing email.
   • Strengthening email security measures to prevent similar incidents.