Professional Documents
Culture Documents
Version 1.0
Mehmet Ergene @Cyb3rMonk
Recipient Address Calculate email count per SenderAddress- A high number of inbound and outbound emails
RecipientAddress and RecipientAddress- might indicate C2 over email. A high number of
SenderAddress for the same outbound emails between the same sender and
SenderAddress, RecipientAddress recipient might indicate data exfiltration.
(bidirectional traffic).
Recipient Domain Calculate the sum of email size per Higher values may indicate data exfiltration.
RecipientDomain for outbound emails.
URL Info Calculate URL and/or URL Domain count Small values may indicate a spear phishing URL.
for the last 24h. High values may be a phishing or
marketing/spam.
Correlate URL info with other logs. The Follow the guide
guide can be found here.
Attachment Info Attachment info requires pivoting and Follow the guide
correlation. The related guide is here.
Size Calculate the sum of email size per Higher values may indicate data exfiltration.
RecipientAddress or SenderAddress for
outbound emails for the last 24h or
longer.
Forwarding Rules Periodically check forwarding rules in Look for suspicious email addresses. May indicate
mailboxes and gateways. data exfiltration.