Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| SuspiciousFileTypes | Attachment types considered high risk (e.g., .exe, .js, .vbs, .scr, macro-enabled docs). |
| AllowedSenders | Whitelist of known trusted senders to reduce false positives. |
Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | Application:Mail | Inbound messages with anomalous headers, spoofed SPF/DKIM failures |
| Process Creation (DC0032) | auditd:SYSCALL | execve: Execution of scripts or binaries sourced from mail directories (/var/mail, ~/Maildir) |
| Field | Description |
|---|---|
| MonitoredMailPaths | System or user directories where emails/attachments are stored. |
| AttachmentHashBaseline | Known good hashes for common business document templates. |
Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Inbound email activity with suspicious domains or mismatched sender information |
| Process Creation (DC0032) | macos:unifiedlog | Preview.app, Safari.app, or Mail.app spawning new processes outside normal patterns |
| Field | Description |
|---|---|
| SuspiciousDomains | List of domains known for phishing activity or suspicious sender infrastructure. |
| ExecutionDelayWindow | Time threshold between file save and execution considered suspicious. |
Phishing via Office documents containing embedded macros or links that spawn processes. Detection relies on correlating Office application logs with suspicious child process execution and outbound network connections.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | FileAccessed: Access of email attachments by Office applications |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| ParentProcessList | Parent processes expected to execute child processes (e.g., Office apps). |
| MacroExecutionThreshold | Threshold for number of macros executed before raising alerts. |
Phishing attempts targeting IdPs often manifest as anomalous login attempts from suspicious email invitations or fake SSO prompts. Detection correlates login flows, MFA bypass attempts, and anomalous geographic patterns following phishing email delivery.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | azure:signinlogs | Failed MFA attempts, unusual conditional access triggers, login attempts from unexpected IP ranges |
| Field | Description |
|---|---|
| GeoAnomalyThreshold | Allowed distance/time delta between user sign-ins. |
| MFABypassIndicators | Signals of repeated or anomalous MFA failures linked to phishing campaigns. |
Phishing delivered via SaaS services (chat, collaboration platforms) where messages contain malicious URLs or attachments. Detect anomalous link clicks, suspicious file uploads, or token misuse after SaaS-based phishing attempts.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:collaboration | MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom) |
| Field | Description |
|---|---|
| MonitoredSaaSApps | Scope of SaaS platforms under phishing monitoring. |
| LinkInspectionPolicy | Threshold for auto-expansion and detonation of URLs sent in SaaS messages. |