Email Systems
Overview
Analyzing logs from email systems to detect phishing attempts, malware attachments, unauthorized access, and other email-related security incidents.
Sample products
- Microsoft Exchange Server
- Microsoft Office 365
- Google Gmail
Use Case Categories
| Category | Description |
|---|---|
| Phishing and Spear-Phishing Attack Detection | This use case involves analyzing email logs to identify and flag potential phishing and spear-phishing attempts. By scrutinizing email content, sender information, and patterns of communication, the system aims to detect malicious attempts to deceive recipients into divulging sensitive information or clicking on harmful links. |
| Malware and Ransomware Distribution via Email, | Focuses on detecting emails that serve as a distribution mechanism for malware and ransomware. By examining attachments, links, and the nature of the email content, this use case aims to intercept and quarantine emails that could potentially infect the recipient's system with malicious software designed to compromise data or encrypt files for ransom. |
| Email Account Compromise Detection | This category is dedicated to identifying signs of email account compromise, such as unusual login activities, anomalous email forwarding settings, or unexpected changes in account properties. Monitoring these indicators helps in early detection of unauthorized access and mitigates potential security breaches. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Unusual Email Source Identification | Detects emails from sources that mimic legitimate entities but have slight variations in domain names or email addresses. |
| Suspicious Link and Attachment Detection | Identifies emails containing links or attachments with known malicious indicators or unusual patterns. |
| Targeted Employee Impersonation | Monitors for emails attempting to impersonate senior executives or specific employees as part of a spear-phishing campaign. |
| Executable File and Script Attachment Detection | Flags emails containing executable files, scripts, or macro-enabled documents that could be used to deliver malware. |
| Suspicious Email Behavior Analysis | Analyzes behavioral patterns such as sudden spikes in email volume or mass emails containing specific indicators of compromise. |
| Zero-Day Threat Detection | Utilizes advanced threat intelligence and heuristic analysis to detect potential zero-day malware threats in email attachments. |
| Ransomware Indicator Scanning | Scans for indicators commonly associated with ransomware delivery, including double file extensions and known ransomware signatures. |
| Unusual Account Activity Monitoring | Monitors for signs of compromised email accounts, such as unusual login locations or times and unexpected email forwarding rules. |
| Email Spoofing and Fraud Detection | Identifies attempts to spoof email addresses within the organization or to use compromised accounts for fraud. |
| External Mail Forwarding Alert | Flags the unauthorized configuration of email forwarding rules to external domains, a common tactic used by attackers post-compromise. |
MITRE ATT&CK
T1566, T1204, T1595, T1486, T1078, T1114