Try in Splunk Security Cloud


Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email, UEBA
  • Last Updated: 2020-01-27
  • Author: Bhavin Patel, Splunk
  • ID: 2b1800dd-92f9-47ec-a981-fdf1351e5d55


It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content. Once a phishing message has been detected, the next steps are to answer the following questions:

  1. Which users have received this or a similar message in the past?
  2. When did the targeted campaign begin?
  3. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.


Name Technique Type
Email Attachments With Lots Of Spaces   Anomaly
Monitor Email For Brand Abuse   TTP
Suspicious Email - UBA Anomaly Phishing Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Anomaly


source | version: 1