Detect abnormally high volume of inbound email messages or repetitive attachments being delivered to a single mailbox within a short time window. Defenders should look for anomalous spikes in message counts and repetitive attachment file creation events correlated with targeted users.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Send/Receive: Unusual spikes in inbound messages to a single recipient |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| TimeWindow | Defines the aggregation interval (e.g., 5 minutes, 1 hour) for detecting spikes in inbound email traffic. |
| RecipientThreshold | Defines maximum number of acceptable messages per user before triggering anomaly. |
| AttachmentSizeThreshold | Defines the size threshold for repetitive attachments to be flagged. |
Monitor mail server logs (e.g., Postfix, Sendmail) for excessive connections or inbound message counts targeting a single recipient. Correlate with repetitive attachment storage in /var/mail or /var/spool/mail directories.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | File creation events in /var/mail or /var/spool/mail exceeding baseline thresholds |
| Application Log Content (DC0038) | Application:Mail | High-frequency inbound mail activity to a specific recipient address |
| Field | Description |
|---|---|
| MailVolumeThreshold | Tunable value for the maximum acceptable emails per minute per user. |
| AttachmentPatternList | List of suspicious attachment extensions that may be abused for repetitive delivery. |
Detect abnormal use of email clients (e.g., Outlook, Thunderbird) showing mass arrival of messages or repetitive attachments being locally stored. Correlate message volume with file creation activity in mail cache directories.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:exchange | MailDelivery: High-frequency delivery of messages or attachments to a single recipient |
| Field | Description |
|---|---|
| UserContext | Context for distinguishing between VIP or sensitive recipients and general users. |
Monitor unified logs and Mail.app activity for repetitive incoming messages with attachments. Defenders should look for large volumes of incoming mail stored under ~/Library/Mail with unusual timing or repetitive subjects.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Repetitive inbound email delivery activity logged within a short time window |
| File Creation (DC0039) | fs:fsusage | create: Attachment file creation in ~/Library/Mail directories |
| Field | Description |
|---|---|
| FileCountThreshold | Threshold for repetitive attachment files created within a defined interval. |