Try in Splunk Security Cloud


This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-08-17
  • Author: Teoderick Contreras, Stanislav Miskovic, Splunk
  • ID: dc4dc3a8-ff54-11eb-8bf7-acde48001122


ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1048 Exfiltration Over Alternative Protocol Exfiltration
`gsuite_gmail` num_message_attachments > 0 
| rex field=source.from_header_address "[^@]+@(?<source_domain>[^@]+)" 
| rex field=destination{}.address "[^@]+@(?<dest_domain>[^@]+)" 
| where source_domain="" and not dest_domain="" 
| eval phase="plan" 
| eval severity="low" 
| stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity 
| where numSrcAddresses < 20 
|sort - numSrcAddresses 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `gsuite_outbound_email_with_attachment_to_external_domain_filter`

Associated Analytic Story

How To Implement

To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.

Required field

  • _time

Kill Chain Phase

  • Exploitation

Known False Positives

network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.


Risk Score Impact Confidence Message
9.0 30 30 suspicious email from $source.address$ to $destination{}.address$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1