Detection of spearphishing attachments by correlating suspicious email delivery with subsequent file creation and abnormal process execution (e.g., Office spawning PowerShell or CMD). Behavior chain includes inbound email metadata → attachment stored on disk → process execution → outbound network activity.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Send/Receive: Inbound emails with attachments from suspicious or spoofed senders |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| AttachmentExtensions | List of high-risk extensions to monitor (e.g., .exe, .js, .vbs, .docm, .xlsm). |
| SuspiciousParentChildPairs | Process lineage patterns considered malicious (e.g., winword.exe → powershell.exe). |
| TimeWindow | Correlation window between email receipt, file creation, and process execution. |
Phishing attachments executed on Linux systems are detected by linking email logs to file creation in mail directories and subsequent suspicious process execution. Look for unexpected binaries or scripts spawned from user mail directories and anomalous outbound network activity.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | Application:Mail | Inbound email attachments logged from MTAs with suspicious metadata |
| Process Creation (DC0032) | auditd:SYSCALL | execve: Execution of files saved in mail or download directories |
| Network Traffic Flow (DC0078) | NSM:Flow | Outbound traffic from suspicious new processes post-attachment execution |
| Field | Description |
|---|---|
| AttachmentStoragePaths | Monitored directories for email attachments (e.g., /var/mail, ~/Maildir, ~/Downloads). |
| ScriptInterpreters | List of interpreters to monitor when spawned by mail clients (e.g., bash, python, perl). |
Phishing attachment detection on macOS through correlation of Mail app logs, file creation in user directories, and abnormal process execution (e.g., Preview.app or Mail.app spawning Terminal or scripting binaries). Network traffic after attachment interaction is also monitored.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Inbound messages with attachments from suspicious domains |
| Process Creation (DC0032) | macos:unifiedlog | Execution of Terminal, osascript, or other interpreters originating from Mail or Preview |
| File Creation (DC0039) | macos:unifiedlog | Attachment files written to ~/Downloads or temporary folders |
| Field | Description |
|---|---|
| ExecutionDelayThreshold | Time delay between attachment download and execution considered suspicious. |
| SuspiciousParentApps | Parent processes expected to rarely spawn child processes (e.g., Mail.app, Preview.app). |