Analytics Story: Suspicious Emails
Description
Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.
Why it matters
It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content. Once a phishing message has been detected, the next steps are to answer the following questions:
- Which users have received this or a similar message in the past?
- When did the targeted campaign begin?
- Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|
References
Source: GitHub | Version: 1