← Back to Cybersecurity News Center
Severity
MEDIUM
CVSS
5.0
Priority
0.641
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
Cisco Talos has formalized phone numbers as a trackable IOC class, analyzing 1,652 numbers across 33 days to document how organized scam call centers provision, rotate, and reuse VoIP numbers to impersonate PayPal, Geek Squad, McAfee, and Norton LifeLock. The research reveals median number lifespans of 14 days, sequential block rotation, and deliberate cool-down periods, behavioral patterns consistent with professional scam infrastructure, not opportunistic fraud. For security leaders, this signals that telephone-oriented attack delivery (TOAD) has matured into a structured, detectable campaign class that email security tooling can intercept before third-party reputation feeds catch up.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Yes, this scam targets regular people using fake emails from PayPal, Geek Squad, McAfee, and Norton LifeLock asking you to call a phone number.
✅
Do this now
1 Do not call any phone number in an unexpected email, even if it looks like a trusted company. 2 Go directly to the company's official website to check your account, do not use contact details from the email. 3 Report suspicious emails to your email provider and to the company being impersonated.
👀
Watch for these
Emails saying your account is suspended and asking you to call a number.
Callers claiming to be PayPal, Geek Squad, McAfee, or Norton asking for payment.
Urgent warnings about charges you do not recognize, with a phone number to dispute them.
🌱
Should you worry?
No passwords or personal data were stolen in this research disclosure, it is a study of scam tactics, not a breach. The real risk is that you might call the number and be talked into sending money or sharing account details; hanging up immediately keeps you safe.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
MEDIUM
Medium severity — monitor and assess
Actor Attribution
HIGH
Unknown organized scam call center operators, VoIP-enabled TOAD campaign actors (unattributed)
TTP Sophistication
HIGH
8 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Consumers targeted via impersonation of PayPal, Geek Squad (Best Buy), McAfee, Norton LifeLock; VoIP infrastructure via Sinch, Twilio, Bandwidth, RingCentral, Verizon, NUSO
Are You Exposed?
⚠
Your industry is targeted by Unknown organized scam call center operators, VoIP-enabled TOAD campaign actors (unattributed) → Heightened risk
⚠
You use products/services from Consumers targeted via impersonation of PayPal → Assess exposure
⚠
8 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Organized scam call centers impersonating PayPal, Geek Squad, McAfee, and Norton LifeLock represent a direct financial and reputational risk to those brands and an operational risk to any organization whose employees or customers receive these emails. Companies in financial services, retail technology, and consumer security sectors face elevated exposure because their brand names are the active lure. For organizations broadly, the risk is workforce-facing: employees who receive these scam emails at work and call back may expose corporate payment credentials or provide access that enables further fraud — a threat that standard URL and attachment filtering does not currently address.
You Are Affected If
Your organization's email security tooling does not analyze phone numbers embedded in email body content
Your employees or customers regularly interact with PayPal, Geek Squad (Best Buy), McAfee, or Norton LifeLock — the specific brands being impersonated
Your email filtering relies primarily on URL reputation and attachment scanning, with no TOAD-specific detection logic
Your organization uses Sinch, Twilio, Bandwidth, RingCentral, or NUSO for VoIP provisioning — making your number blocks adjacent to those used by scam operators from the same providers
Your threat intelligence feeds do not include phone number reputation data or do not update faster than the 14-day median number lifespan Talos documented
Board Talking Points
Organized scam operations are now provisioning phone numbers with the same discipline they apply to domains and IPs — making them a trackable threat signal that most email security tools currently ignore.
Security teams should evaluate whether current email filtering covers call-back scam patterns and, if not, prioritize adding TOAD detection rules within the next 30 days.
Without this detection layer, employees who receive these emails remain exposed to social engineering calls that bypass every URL and attachment control currently in place.
Technical Analysis
Cisco Talos researchers analyzed 1,652 unique phone numbers embedded in scam emails over a 33-day observation window, producing a systematic behavioral study of phone number lifecycle patterns as an IOC class.
The findings reframe TOAD campaigns, where scam emails instruct victims to call a number rather than click a link, as infrastructure-dependent operations that leave measurable forensic signatures.
Three behavioral patterns define the infrastructure fingerprint Talos documented.
First, number lifespan: the median phone number remained active for 14 days before rotation, a window short enough to evade slow-updating reputation blocklists but long enough to suggest deliberate operational planning rather than ad hoc provisioning. Second, sequential VoIP block rotation: numbers were provisioned in sequential blocks from providers including Sinch, Twilio, Bandwidth, RingCentral, Verizon, and NUSO, a pattern consistent with bulk VoIP acquisition and automated provisioning pipelines. Third, cool-down and reuse cycles: numbers were retired and later reintroduced after deliberate dormancy periods, exploiting the tendency of blocklist entries to age out.
The impersonated brands, PayPal, Geek Squad (Best Buy), McAfee, Norton LifeLock, align with FTC reporting identifying these as among the most frequently spoofed consumer-facing companies. The trust attached to these brands drives victim call-back rates, making brand selection a core component of campaign effectiveness rather than a random choice.
Talos maps the technique set to MITRE ATT&CK T1583.008 (Acquire Infrastructure: Phone Numbers), T1656 (Impersonation), T1036.006 (Masquerading: Space after Filename), T1566.001 and T1566.002 (Phishing variants), T1598 and T1598.002 (Phishing for Information), and T1204.002 (User Execution: Malicious File). The CWE mappings, CWE-1021 (UI Redress) and CWE-451 (User Interface Misrepresentation), reflect the social engineering mechanism: the scam works by creating a convincing enough impersonation that the victim initiates contact.
The research's practical contribution for defenders is the detection opportunity it identifies. Because scam operators provision numbers in sequential VoIP blocks, email security tools can apply clustering logic: a single scam email containing a number from a known provisioning block should trigger elevated suspicion for all numbers in adjacent blocks from the same provider. This is a proactive detection posture that does not depend on waiting for a specific number to accumulate reputation signals. Talos explicitly proposes that email security tooling can exploit these patterns ahead of third-party reputation feed updates, a meaningful detection lead time advantage given the 14-day median lifespan.
Action Checklist IR ENRICHED
Triage Priority:
STANDARD
Escalate to urgent if helpdesk receives three or more TOAD-REPORT tickets within a 7-day window targeting the same brand (PayPal, Geek Squad, McAfee, or Norton LifeLock), indicating an active campaign wave against your organization, or if any user reports having installed a remote access tool (AnyDesk, TeamViewer, UltraViewer) or transferred funds following a callback — both conditions indicate a completed or in-progress financial fraud incident potentially triggering FTC breach notification obligations and requiring immediate IR activation under NIST IR-4.
1
Step 1: Assess exposure, determine whether your organization's email security stack ingests phone number reputation feeds or applies any clustering logic to numbers embedded in inbound email; most enterprise email gateways do not, making this a gap worth documenting.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Establishing IR capability, tooling gaps, and detection coverage inventory
NIST IR-4 (Incident Handling) — requires preparation phase inclusive of detection capability inventory
NIST SI-4 (System Monitoring) — mandates monitoring coverage assessment including email-borne threat vectors
NIST AU-2 (Event Logging) — requires identification of event types the system is capable of logging, including phone-number extraction from email body content
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — gap documentation for phone-number IOC ingestion is a detection control gap, not a patch gap, but fits the documented-gap-with-remediation-timeline requirement
CIS 8.2 (Collect Audit Logs) — baseline audit of what email security telemetry is currently retained and searchable
Compensating Control
Run a 90-day regex sweep across email gateway quarantine/archive logs to extract phone number patterns (\+?1?[\s.-]?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}) from email body content using grep or PowerShell: Select-String -Path exported_mail_bodies.txt -Pattern '\b(\+1\s?)?\(?\d{3}\)?[\s.\-]?\d{3}[\s.\-]?\d{4}\b'. Cross-reference extracted numbers against FTC and FCC complaint databases (reportfraud.ftc.gov bulk lookup) and the free Twilio Lookup API (unpaid tier, 250 lookups/day) to identify carrier, line type (VoIP vs. landline), and porting history. Document gaps in a one-page control gap register with risk owner and target remediation date.
Preserve Evidence
Before assessing gap, export 90 days of email gateway logs (Microsoft Defender for Office 365: Threat Explorer export, or Proofpoint: Smart Search export) filtering on messages with no URL clicks, no attachment detections, but containing body text matching PayPal, Geek Squad, McAfee, or Norton LifeLock brand terms co-occurring with phone number patterns — this is the TOAD message fingerprint. Preserve raw EML samples of any matches for later rule tuning. Also capture your current email security vendor's feature documentation confirming whether phone-number reputation or TOAD-pattern detection is or is not a supported capability.
2
Step 2: Review controls, audit email filtering rules for TOAD-pattern detection: emails with no malicious URL or attachment but containing a phone number and brand impersonation language (billing alert, account suspension, tech support) from high-impersonation brands (PayPal, Geek Squad, McAfee, Norton LifeLock); consider adding rules that flag or quarantine this pattern.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Detection tooling configuration and preventive control hardening prior to confirmed incident
NIST SI-3 (Malicious Code Protection) — extend detection logic at email entry point to cover TOAD delivery, a non-URL, non-attachment malicious content class
NIST SI-10 (Information Input Validation) — analogous: validate inbound email content against known-malicious patterns including TOAD brand-impersonation signatures
NIST IR-4 (Incident Handling) — preparation sub-phase requires configuring detection capability before incidents occur
CIS 7.2 (Establish and Maintain a Remediation Process) — creating TOAD-specific filtering rules is a risk-based remediation action for a documented detection gap
CIS 4.6 (Securely Manage Enterprise Assets and Software) — email gateway rule configuration is a managed configuration item subject to change control
Compensating Control
For Microsoft 365 tenants without Defender P2: create a Mail Flow Rule in Exchange Admin Center with conditions: (1) Subject or body matches regex for PayPal|Geek Squad|McAfee|Norton LifeLock AND (2) Subject or body matches phone number pattern AND (3) no attachment AND message header X-MS-Exchange-Organization-SCL less than 5. Action: prepend subject with [SUSPECTED CALLBACK SCAM] and copy to security-alerts mailbox. For on-premises or open-source stacks: deploy a SpamAssassin custom rule scoring +3.0 for TOAD pattern combination. Share the Sigma rule community has published for TOAD email detection (search GitHub sigma repo for 'toad' or 'callback phishing') as a starting detection template.
Preserve Evidence
Collect current email gateway rule export (EAC transport rule export as CSV, or Proofpoint policy export) before making changes to establish a configuration baseline. Pull a sample of 20-30 TOAD-pattern emails identified in Step 1 and document: sender domain, sending IP, envelope-from vs. header-from discrepancy, phone number present, brand terms used, and absence of URLs or attachments. This evidence set serves as the test corpus for validating new rules and as documentation if a user-reported incident later requires tracing the original email.
3
Step 3: Update threat model, add TOAD campaign infrastructure (T1583.008, T1656) to your threat register as a distinct delivery class separate from URL phishing and attachment phishing; note that standard link-based detections do not cover it.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Threat modeling, IR plan scope definition, and playbook coverage gap identification
NIST RA-3 (Risk Assessment) — threat register update is a required output of risk assessment; TOAD represents a newly formalized threat category per Talos research
NIST IR-8 (Incident Response Plan) — IR plan must be updated to include TOAD as a recognized incident type with its own detection criteria and response playbook entry
NIST SI-5 (Security Alerts, Advisories, and Directives) — Talos publication on TOAD infrastructure is an external advisory that must be reviewed and acted upon per this control
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — threat register maintenance for newly identified attack classes falls within documented vulnerability and threat management scope
Compensating Control
Add TOAD as a named threat scenario in your risk register using a one-page threat profile: Threat Actor = organized scam call centers (non-nation-state, financially motivated); Delivery = MITRE T1583.008 (Acquire Infrastructure: Malvertising mapped to VoIP provisioning via Sinch/Twilio/Bandwidth/RingCentral/NUSO); Technique = MITRE T1656 (Impersonation: PayPal, Geek Squad, McAfee, Norton LifeLock); Detection Gap = standard URL sandbox and attachment AV do not trigger; Impact = credential theft, financial fraud, remote access tool installation post-callback. Link this profile to your existing phishing playbook as a distinct branch. Two-person teams can maintain this in a shared Markdown file or Confluence page with quarterly review trigger.
Preserve Evidence
Before finalizing the threat register entry, retrieve the Cisco Talos research publication on TOAD phone number lifecycle analysis (search Talos Intelligence blog for 'phone number IOC' or 'TOAD callback' published circa 2024-2025) and attach it as the primary source reference. Also pull your organization's last 90-day helpdesk ticket export and search for user-reported suspicious calls, callback requests, or tech support impersonation contacts — this establishes whether TOAD activity is already reaching your users and whether the threat is theoretical or active in your environment.
4
Step 4: Communicate findings, brief security awareness and helpdesk teams that call-back scam volume is measurable and organized; equip them with specific brand impersonation examples so they can recognize and triage user-reported suspicious calls.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Training, awareness, and incident reporting channel readiness
NIST IR-2 (Incident Response Training) — training must cover recognized incident types; TOAD callback scams targeting employees impersonating PayPal, Geek Squad, McAfee, and Norton LifeLock must be added to training content
NIST IR-6 (Incident Reporting) — helpdesk must be equipped to recognize and escalate TOAD-pattern user reports as potential security incidents, not generic complaints
NIST IR-7 (Incident Response Assistance) — helpdesk is a frontline IR support resource; their effectiveness depends on current threat-specific briefings
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts) — reinforce during briefing that legitimate PayPal, McAfee, Norton, and Geek Squad support will never request remote access or credential entry over a callback call
Compensating Control
Produce a one-page helpdesk triage card (printable or Teams-pinned) with: (1) The four high-impersonation brands from this Talos research — PayPal, Geek Squad, Best Buy, McAfee, Norton LifeLock; (2) Common lures — billing alert, account suspension, subscription renewal, tech support; (3) Red flags — caller requests remote access tool installation (AnyDesk, TeamViewer, UltraViewer), gift card purchase, or credential entry on a screen they control; (4) Triage action — do not comply, hang up, open a ticket tagged TOAD-REPORT with callback number, time, and lure type. This card enables two-person security teams to crowdsource IOC collection (phone numbers) through helpdesk reports at zero tool cost.
Preserve Evidence
Before the briefing, pull a sample of real TOAD emails identified in Steps 1-2 (redacted of user PII) to use as concrete examples during training — showing the actual PayPal or Geek Squad impersonation email format, the embedded phone number, and the absence of links makes the threat tangible. Also pull any existing helpdesk tickets from the past 90 days tagged with 'suspicious call', 'tech support scam', or 'callback' to demonstrate whether this is already occurring, which increases briefing credibility and establishes a pre-training baseline for measuring post-training reporting volume.
5
Step 5: Monitor developments, track Cisco Talos for follow-on publications including specific number block indicators or updated detection signatures; also monitor FTC impersonation reporting for shifts in targeted brand lists that would require updating your awareness training content.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Lessons learned integration, threat intelligence operationalization, and detection improvement cycle
NIST SI-5 (Security Alerts, Advisories, and Directives) — requires ongoing receipt and action on external threat advisories; Talos and FTC are authoritative external sources for TOAD infrastructure evolution
NIST IR-4 (Incident Handling) — continuous improvement of incident handling capability includes updating detection triggers and playbooks as new threat intelligence is published
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — ongoing review of audit records (helpdesk reports, email gateway logs) for TOAD patterns should be tied to the intelligence update cycle
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — threat intelligence monitoring for new TOAD number blocks or brand targets is a documented, recurring process action
Compensating Control
Set up free RSS or email subscriptions: Talos Intelligence Blog (talosintelligence.com/blog RSS feed), FTC Consumer Sentinel impersonation reports (ftc.gov/data-visualizations), and SANS Internet Storm Center diary. Create a shared team calendar reminder for a monthly 30-minute TOAD threat intel review: check for new Talos number block publications, FTC brand impersonation shift data, and any new VoIP carrier abuse reports. When new phone number blocks are published by Talos, ingest them into your email gateway as sender-body regex rules (for numbers appearing in email body) and share with helpdesk as updated triage card. For two-person teams, assign one owner to the intel subscription and one to the rule update action to create accountability without overhead.
Preserve Evidence
Maintain a running TOAD intelligence log (simple spreadsheet or Markdown file) capturing: date of Talos or FTC publication, new brand targets identified, new number ranges or carrier patterns noted, and whether your email gateway rules and helpdesk triage card were updated in response. This log serves as evidence of due diligence for compliance purposes (NIST IR-4, SI-5) and as the audit trail for your threat model update history. Retain helpdesk TOAD-REPORT tickets as longitudinal IOC data — user-reported callback numbers are raw phone number IOCs that can be cross-referenced against future Talos publications to validate whether your users are being targeted by the same organized infrastructure Talos documented.
Recovery Guidance
TOAD campaigns do not compromise organizational infrastructure directly — recovery focus is on affected individual users, not systems. For any user who completed a callback and followed attacker instructions: immediately revoke and reset credentials for accounts the user may have displayed or entered during the call, review the user's endpoint for remote access tool installation (check Add/Remove Programs and running processes for AnyDesk, TeamViewer, UltraViewer, ScreenConnect), and if financial transfer occurred, contact the organization's financial institution within 24 hours per standard fraud reversal windows. Monitor helpdesk ticket volume for the targeted brand impersonation type for 30 days post-incident to detect campaign continuation or re-targeting of the same user pool, and update the TOAD phone number IOC log with any numbers reported during the incident for contribution to Talos or FTC databases.
Key Forensic Artifacts
Email gateway quarantine/archive logs — query for messages matching TOAD fingerprint: PayPal|Geek Squad|McAfee|Norton LifeLock brand terms co-occurring with E.164 phone number pattern in body, no URL clicks recorded, no attachment, sender domain not matching brand's legitimate sending domain (e.g., sender claiming PayPal but not from @paypal.com or @e.paypal.com) — these are the primary TOAD delivery artifacts
Helpdesk ticket system export — all tickets tagged or keyword-matching 'suspicious call', 'callback', 'tech support', 'billing alert', 'account suspended' from the past 90 days, with user-reported callback phone numbers extracted as raw IOCs for cross-reference against Talos-published number blocks from Sinch, Twilio, Bandwidth, RingCentral, NUSO VoIP infrastructure
Endpoint process creation logs (Windows Security Event ID 4688 or Sysmon Event ID 1) — on endpoints of users who reported completing a callback call, filter for remote access tool process names: AnyDesk.exe, TeamViewer.exe, UltraViewer.exe, ScreenConnect.exe, LogMeIn.exe spawned within the 2-hour window following the reported callback time, indicating attacker-directed tool installation
User browser history and Downloads folder artifacts — on endpoints of users who completed callback calls, review browser history for searches leading to remote access tool downloads and the Downloads folder for installer files (AnyDesk_setup.exe, TeamViewer_Setup.exe) with timestamps correlating to the callback session, establishing the attacker's remote access establishment timeline
Email header analysis of TOAD sample messages — extract and preserve: sending IP, Return-Path vs. From header discrepancy, X-Originating-IP, DKIM/DMARC/SPF pass/fail status, and Message-ID format for pattern analysis; TOAD emails impersonating PayPal and Norton LifeLock will typically show SPF/DMARC failures or use lookalike domains (e.g., paypa1-billing.com) that are distinct forensic markers separating TOAD infrastructure from legitimate brand email
Detection Guidance
Detection for TOAD campaigns requires shifting focus from URLs and file hashes to phone number metadata and email body content patterns. Specific areas to instrument:
Email body analysis: Build or tune rules to flag emails that
contain no hyperlink or attachment, reference a high-impersonation brand (PayPal, Geek Squad, McAfee, Norton LifeLock, or equivalents in your regional context), and include a phone number with an explicit call-to-action. This combination is the TOAD delivery signature.
Phone number clustering: If your email security platform supports custom rule logic, extract phone numbers from flagged emails and check whether the number falls within a VoIP number block already associated with scam activity. Numbers provisioned sequentially from the same VoIP carrier block (Sinch, Twilio, Bandwidth, RingCentral, NUSO) should elevate the confidence score for adjacent numbers even before individual reputation data exists.
Lifespan-aware blocklisting: Given the 14-day median lifespan Talos documented, blocklist entries for phone numbers should carry a shorter TTL than domain or IP blocklist entries. Entries older than 30 days may represent recycled numbers now legitimately assigned, validate before applying retroactively.
User-reported call logs: Establish a lightweight channel for employees to report suspicious inbound or outbound calls. Cross-reference reported numbers against known scam number block ranges from Talos or equivalent threat intelligence feeds.
Hunting hypothesis (MITRE T1583.008 ): Query email logs for a rolling 30-day window for messages where the body contains a phone number in North American Numbering Plan (NANP) format (10-digit XXX-XXX-XXXX) or your regional phone number format equivalent, the sending domain is new or low-reputation, and the subject line contains urgency language associated with billing, account, or security alerts. Cluster results by phone number prefix and VoIP provider assignment to identify block-level provisioning patterns.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 url
Type Value Enrichment Context Conf.
🔗 URL
Pending — refer to Cisco Talos Blog for published indicators
VT
US
Phone number lists and VoIP block ranges associated with documented scam campaigns published by Cisco Talos in the source research
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Phone Numbers as IOCs: Talos Research Exposes Scam Infrastructure Through Number
let malicious_urls = dynamic(["Pending — refer to Cisco Talos Blog for published indicators"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (3)
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1036.006
T1566.002
T1583.008
T1566.001
T1204.002
T1598
+2
AT-2
SC-7
SI-3
SI-4
SI-8
SR-2
MITRE ATT&CK Mapping
T1036.006
Space after Filename
defense-evasion
T1566.001
Spearphishing Attachment
initial-access
T1598
Phishing for Information
reconnaissance
T1656
Impersonation
defense-evasion
T1598.002
Spearphishing Attachment
reconnaissance
Guidance Disclaimer
