High
Detects user clicks on compromised websites classified by Mimecast, which were delivered via email.Adversaries can exploit these links to direct users to malicious sites hosting malware, phishing pages, or spam content.Such sites may be used to steal credentials, deliver malware, or compromise endpoints by leveraging malicious downloads or scripts.By embedding these links in seemingly legitimate emails, attackers can deceive users into inadvertently enabling malicious activity, resulting in unauthorized access, data theft, or further lateral movement within an environment.
Initial Access (T1566)
integration:mimecast AND (category:"Compromised" OR category:"Botnets" OR category:"Attacker Controlled Infrastructure") AND !action:"hold" AND !action:"block" AND !action:"bounce" AND !actions:"Hold" AND !actions:"Block" AND !adminOverride:"Hold" AND !adminOverride:"Block" AND !adminOverride:"Bounce"
Detects emails containing executable file attachments that have been delivered to a user’s mailbox, as identified by Mimecast.An adversary can abuse this delivery method to distribute malicious payloads, including malware, ransomware, or other executables designed to compromise the recipient’s system.
integration:mimecast AND (Route:"Inbound" OR Dir:"Inbound" OR route:"inbound") AND (file_type:"application/x-dosexec" OR file_type:"application/x-msdownload" OR file_type:"application/x-executable" OR file_type:"application/vnd.microsoft.portable-executable") AND !actionTriggered:"Hold" AND !actionTriggered:"Block" AND !actionTriggered:"Bounce"
Detects emails containing malicious attachments identified by Mimecast that have been delivered to a user’s mailbox.Attackers commonly use spearphishing emails with malicious attachments to compromise systems by tricking recipients into opening them.This tactic enables the delivery of malware, credential theft, or unauthorized access, potentially leading to further exploitation or data breaches.
integration:mimecast AND scanResult:"malicious" AND (Route:"Inbound" OR Dir:"Inbound" OR route:"inbound") AND !actionTriggered:"Hold" AND !actionTriggered:"Block" AND !actionTriggered:"Bounce"
Detects instances where users click on malicious URLs embedded in emails.These URLs may redirect to phishing sites, initiate malware downloads, or enable advanced threats, posing risks to user and organizational security.Monitoring such activity helps mitigate potential compromises.
integration:mimecast AND scanResult:"malicious" AND !action != "block"
Detects a user clicking on a peer-to-peer file sharing URL, as classified by Mimecast, that was delivered via email.Adversaries can abuse P2P file-sharing platforms to distribute malicious files, such as malware, ransomware, or unauthorized software, by embedding these links in phishing emails.These URLs often lead to websites facilitating the sharing of pirated content, which can serve as a delivery mechanism for malicious payloads or be used to evade detection by traditional security tools.By leveraging P2P file-sharing services, attackers can exploit unsuspecting users to execute harmful downloads, steal sensitive information, or gain unauthorized access to systems.
integration:mimecast AND category:"Peer-to-Peer" AND !action:"hold" AND !action:"block" AND !action:"bounce" AND !actions:"Hold" AND !actions:"Block" AND !adminOverride:"Hold" AND !adminOverride:"Block" AND !adminOverride:"Bounce"
Medium
Detects user clicks on anonymizer URLs classified by Mimecast that arrived in an email.An adversary can abuse anonymizer services to mask their identity and hide the origin of malicious traffic, making it harder to trace their activities.These anonymizer URLs may link to phishing sites, malware-hosting pages, or other malicious content.By leveraging anonymizers, attackers can bypass security controls, evade detection, and deliver malicious payloads to unsuspecting users while concealing their true infrastructure.This activity could indicate an attempt to deceive users into visiting harmful destinations or downloading compromised content.
Initial Access (T1566)Command and Control (T1071)
integration:mimecast AND category:"Anonymizers" AND !action:"hold" AND !action:"block" AND !action:"bounce" AND !actions:"Hold" AND !actions:"Block" AND !adminOverride:"Hold" AND !adminOverride:"Block" AND !adminOverride:"Bounce"
Detects unblocked email messages flagged by Mimecast as potential impersonation attempts. These emails are strong indicators of Business Email Compromise (BEC), a sophisticated phishing tactic in which attackers impersonate trusted entities to deceive recipients and manipulate them into performing malicious actions.
integration:mimecast AND taggedMalicious:true AND !action:"hold" AND !action:"block" AND !action:"bounce" AND !actions:"Hold" AND !actions:"Block"
Detects outbound emails identified by Mimecast as malicious, including those containing phishing links, malware-laden attachments, or other suspicious content.Monitoring these events is crucial in identifying potential account compromises or unauthorized activities aimed at distributing threats to external recipients.
integration:mimecast AND Dir:"Outbound" AND category:"Malware" AND scanResult:"malicious" AND !action:"hold" AND !action:"block" AND !action:"bounce" AND !actions:"Hold" AND !actions:"Block" AND !adminOverride:"Hold" AND !adminOverride:"Block" AND !adminOverride:"Bounce"
Detects emails containing malicious rtf file attachments identified by Mimecast that have been delivered to a user’s mailbox.Adversaries can abuse malicious RTF files to exploit vulnerabilities in applications that process these files, potentially executing arbitrary code or delivering malware.
integration:mimecast AND scanResult:"malicious" AND fileName:/\\.rtf$/ AND !actionTriggered:"Hold" AND !actionTriggered:"Block" !actionTriggered:"Bounce"
Detects unblocked email messages flagged as phishing by Mimecast, indicating their successful delivery to recipients’ mailboxes.Such emails may contain malicious attachments, URLs, or deceptive content. Monitoring these events is crucial to identify and mitigate potential threats, ensuring the sender’s authenticity and safeguarding against phishing attacks.
integration:mimecast AND category:"Phishing & Fraud" AND (Route:"Inbound" OR Dir:"Inbound" OR route:"inbound") AND !action:"hold" AND !action:"block" AND !action:"bounce" AND !actions:"Hold" AND !actions:"Block"
Detects the presence of source code files in email attachments by analyzing Mimecast email logs.This activity may indicate potential insider threats, as internal users could be attempting to exfiltrate sensitive or proprietary information, posing a risk to the organization.
Exfiltration (T1048)
integration:mimecast AND (AttNames:/\\.py$/ OR AttNames:/\\.java$/ OR AttNames:/\\.c$/ OR AttNames:/\\.cs$/ OR AttNames:/\\.cpp$/ OR AttNames:/\\.jsp$/ OR AttNames:/\\.vba$/ OR AttNames:/\\.class$/)
Detects user clicks on URLs containing dangerous file types, as classified by Mimecast, that were delivered via email.Adversaries often use emails with embedded URLs linking to files with extensions commonly associated with malware, such as .exe, .bat, .js, or .msi.These file types can be used to deliver malicious payloads, initiate malware downloads, or execute harmful scripts on the recipient’s system.By tricking users into clicking on such links, attackers can gain initial access, compromise systems, or establish persistence within an environment.
integration:mimecast AND category:"Dangerous file extension" AND !action:"hold" AND !action:"block" AND !action:"bounce" AND !actions:"Hold" AND !actions:"Block" AND !adminOverride:"Hold" AND !adminOverride:"Block" AND !adminOverride:"Bounce"
Was this article helpfu?
Thank you for voting
You are related to multiple companies. Please select the company you wish to login as.